Ukranian - Ht
HackTricks TrainingTwitterLinkedinSponsor

Wireshark tricks

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Improve your Wireshark skills

Tutorials

ŠŠ°ŃŃ‚ŃƒŠæŠ½Ń– Š½Š°Š²Ń‡Š°Š»ŃŒŠ½Ń– ŠæŠ¾ŃŃ–Š±Š½ŠøŠŗŠø чуŠ“Š¾Š²Š¾ ŠæіŠ“хŠ¾Š“ять Š“Š»Ń Š²ŠøŠ²Ń‡ŠµŠ½Š½Ń Š“ŠµŃŠŗŠøх Š¾ŃŠ½Š¾Š²Š½Šøх трюŠŗіŠ²:

Analysed Information

Expert Information

ŠšŠ»Š°Ń†Š½ŃƒŠ²ŃˆŠø Š½Š° Analyze --> Expert Information, Š²Šø Š¾Ń‚Ń€ŠøŠ¼Š°Ń”Ń‚Šµ Š¾Š³Š»ŃŠ“ тŠ¾Š³Š¾, щŠ¾ Š²Ń–Š“Š±ŃƒŠ²Š°Ń”Ń‚ŃŒŃŃ Š² Š°Š½Š°Š»Ń–Š·Š¾Š²Š°Š½Šøх ŠæŠ°ŠŗŠµŃ‚Š°Ń…:

Resolved Addresses

Š£ Statistics --> Resolved Addresses Š²Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š·Š½Š°Š¹Ń‚Šø ŠŗіŠ»ŃŒŠŗŠ° іŠ½Ń„Š¾Ń€Š¼Š°Ń†Ń–Ń—, яŠŗŠ° Š±ŃƒŠ»Š° "рŠ¾Š·Š²'яŠ·Š°Š½Š°" Wireshark, Š½Š°ŠæрŠøŠŗŠ»Š°Š“, ŠæŠ¾Ń€Ń‚/трŠ°Š½ŃŠæŠ¾Ń€Ń‚ Š“Š¾ ŠæрŠ¾Ń‚Š¾ŠŗŠ¾Š»Ńƒ, MAC Š“Š¾ Š²ŠøрŠ¾Š±Š½ŠøŠŗŠ° тŠ¾Ń‰Š¾. Š¦Ń–ŠŗŠ°Š²Š¾ Š·Š½Š°Ń‚Šø, щŠ¾ Š·Š°Š»ŃƒŃ‡ŠµŠ½Š¾ Š² ŠŗŠ¾Š¼ŃƒŠ½Ń–ŠŗŠ°Ń†Ń–ŃŽ.

Protocol Hierarchy

Š£ Statistics --> Protocol Hierarchy Š²Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š·Š½Š°Š¹Ń‚Šø ŠæрŠ¾Ń‚Š¾ŠŗŠ¾Š»Šø, Š·Š°Š»ŃƒŃ‡ŠµŠ½Ń– Š² ŠŗŠ¾Š¼ŃƒŠ½Ń–ŠŗŠ°Ń†Ń–ŃŽ, тŠ° Š“Š°Š½Ń– ŠæрŠ¾ Š½Šøх.

Conversations

Š£ Statistics --> Conversations Š²Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š·Š½Š°Š¹Ń‚Šø рŠµŠ·ŃŽŠ¼Šµ рŠ¾Š·Š¼Š¾Š² у ŠŗŠ¾Š¼ŃƒŠ½Ń–ŠŗŠ°Ń†Ń–Ń— тŠ° Š“Š°Š½Ń– ŠæрŠ¾ Š½Šøх.

Endpoints

Š£ Statistics --> Endpoints Š²Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š·Š½Š°Š¹Ń‚Šø рŠµŠ·ŃŽŠ¼Šµ ŠŗіŠ½Ń†ŠµŠ²Šøх тŠ¾Ń‡Š¾Šŗ у ŠŗŠ¾Š¼ŃƒŠ½Ń–ŠŗŠ°Ń†Ń–Ń— тŠ° Š“Š°Š½Ń– ŠæрŠ¾ ŠŗŠ¾Š¶Š½Ńƒ Š· Š½Šøх.

DNS info

Š£ Statistics --> DNS Š²Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š·Š½Š°Š¹Ń‚Šø стŠ°Ń‚ŠøстŠøŠŗу ŠæрŠ¾ Š·Š°Ń…Š¾ŠæŠ»ŠµŠ½Ń– DNS Š·Š°ŠæŠøтŠø.

I/O Graph

Š£ Statistics --> I/O Graph Š²Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š·Š½Š°Š¹Ń‚Šø Š³Ń€Š°Ń„Ń–Šŗ ŠŗŠ¾Š¼ŃƒŠ½Ń–ŠŗŠ°Ń†Ń–Ń—.

Filters

Š¢ŃƒŃ‚ Š²Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š·Š½Š°Š¹Ń‚Šø фіŠ»ŃŒŃ‚Ń€Šø Wireshark Š² Š·Š°Š»ŠµŠ¶Š½Š¾ŃŃ‚Ń– Š²Ń–Š“ ŠæрŠ¾Ń‚Š¾ŠŗŠ¾Š»Ńƒ: https://www.wireshark.org/docs/dfref/ Š†Š½ŃˆŃ– ціŠŗŠ°Š²Ń– фіŠ»ŃŒŃ‚Ń€Šø:

  • (http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)

  • HTTP тŠ° ŠæŠ¾Ń‡Š°Ń‚ŠŗŠ¾Š²ŠøŠ¹ HTTPS трŠ°Ń„Ń–Šŗ

  • (http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)

  • HTTP тŠ° ŠæŠ¾Ń‡Š°Ń‚ŠŗŠ¾Š²ŠøŠ¹ HTTPS трŠ°Ń„Ń–Šŗ + TCP SYN

  • (http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)

  • HTTP тŠ° ŠæŠ¾Ń‡Š°Ń‚ŠŗŠ¾Š²ŠøŠ¹ HTTPS трŠ°Ń„Ń–Šŗ + TCP SYN + DNS Š·Š°ŠæŠøтŠø

Search

ŠÆŠŗщŠ¾ Š²Šø хŠ¾Ń‡ŠµŃ‚Šµ шуŠŗŠ°Ń‚Šø Š²Š¼Ń–ст Š²ŃŠµŃ€ŠµŠ“ŠøŠ½Ń– ŠæŠ°ŠŗŠµŃ‚Ń–Š² сŠµŃŃ–Š¹, Š½Š°Ń‚ŠøсŠ½Ń–Ń‚ŃŒ CTRL+f. Š’Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š“Š¾Š“Š°Ń‚Šø Š½Š¾Š²Ń– шŠ°Ń€Šø Š“Š¾ Š¾ŃŠ½Š¾Š²Š½Š¾Ń— іŠ½Ń„Š¾Ń€Š¼Š°Ń†Ń–Š¹Š½Š¾Ń— ŠæŠ°Š½ŠµŠ»Ń– (No., Time, Source тŠ¾Ń‰Š¾), Š½Š°Ń‚ŠøсŠ½ŃƒŠ²ŃˆŠø ŠæрŠ°Š²Ńƒ ŠŗŠ½Š¾ŠæŠŗу Š¼Šøші, Š° ŠæŠ¾Ń‚Ń–Š¼ рŠµŠ“Š°Š³ŃƒŃŽŃ‡Šø стŠ¾Š²ŠæŠµŃ†ŃŒ.

Free pcap labs

ŠŸŃ€Š°ŠŗтŠøŠŗуŠ¹Ń‚ŠµŃŃ Š· Š±ŠµŠ·ŠŗŠ¾ŃˆŃ‚Š¾Š²Š½ŠøŠ¼Šø Š²ŠøŠŗŠ»ŠøŠŗŠ°Š¼Šø Š½Š°: https://www.malware-traffic-analysis.net/

Identifying Domains

Š’Šø Š¼Š¾Š¶ŠµŃ‚Šµ Š“Š¾Š“Š°Ń‚Šø стŠ¾Š²ŠæŠµŃ†ŃŒ, яŠŗŠøŠ¹ ŠæŠ¾ŠŗŠ°Š·ŃƒŃ” Š·Š°Š³Š¾Š»Š¾Š²Š¾Šŗ Host HTTP:

Š† стŠ¾Š²ŠæŠµŃ†ŃŒ, яŠŗŠøŠ¹ Š“Š¾Š“Š°Ń” іŠ¼'я сŠµŃ€Š²ŠµŃ€Š° Š· іŠ½Ń–ціюючŠ¾Š³Š¾ HTTPS Š·'єŠ“Š½Š°Š½Š½Ń (ssl.handshake.type == 1):

Identifying local hostnames

From DHCP

Š£ сучŠ°ŃŠ½Š¾Š¼Ńƒ Wireshark Š·Š°Š¼Ń–ŃŃ‚ŃŒ bootp Š²Š°Š¼ ŠæŠ¾Ń‚ріŠ±Š½Š¾ шуŠŗŠ°Ń‚Šø DHCP

From NBNS

Decrypting TLS

Decrypting https traffic with server private key

edit>preference>protocol>ssl>

ŠŠ°Ń‚ŠøсŠ½Ń–Ń‚ŃŒ Edit і Š“Š¾Š“Š°Š¹Ń‚Šµ Š²ŃŃ– Š“Š°Š½Ń– сŠµŃ€Š²ŠµŃ€Š° тŠ° ŠæрŠøŠ²Š°Ń‚Š½ŠøŠ¹ ŠŗŠ»ŃŽŃ‡ (IP, Port, Protocol, Key file and password)

Decrypting https traffic with symmetric session keys

ŠÆŠŗ Firefox, тŠ°Šŗ і Chrome Š¼Š°ŃŽŃ‚ŃŒ Š¼Š¾Š¶Š»ŠøŠ²Ń–ŃŃ‚ŃŒ Š·Š°ŠæŠøсуŠ²Š°Ń‚Šø TLS сŠµŃŃ–Š¹Š½Ń– ŠŗŠ»ŃŽŃ‡Ń–, яŠŗі Š¼Š¾Š¶Š½Š° Š²ŠøŠŗŠ¾Ń€ŠøстŠ¾Š²ŃƒŠ²Š°Ń‚Šø Š· Wireshark Š“Š»Ń рŠ¾Š·ŃˆŠøфрŠ¾Š²ŠŗŠø TLS трŠ°Ń„Ń–Šŗу. Š¦Šµ Š“Š¾Š·Š²Š¾Š»ŃŃ” ŠæрŠ¾Š²Š¾Š“ŠøтŠø Š“ŠµŃ‚Š°Š»ŃŒŠ½ŠøŠ¹ Š°Š½Š°Š»Ń–Š· Š·Š°Ń…ŠøщŠµŠ½Šøх ŠŗŠ¾Š¼ŃƒŠ½Ń–ŠŗŠ°Ń†Ń–Š¹. Š‘Ń–Š»ŃŒŃˆŠµ Š“ŠµŃ‚Š°Š»ŠµŠ¹ ŠæрŠ¾ тŠµ, яŠŗ Š²ŠøŠŗŠ¾Š½Š°Ń‚Šø цŠµ рŠ¾Š·ŃˆŠøфруŠ²Š°Š½Š½Ń, Š¼Š¾Š¶Š½Š° Š·Š½Š°Š¹Ń‚Šø Š² ŠæŠ¾ŃŃ–Š±Š½ŠøŠŗу Š½Š° Red Flag Security.

Š©Š¾Š± Š²ŠøяŠ²ŠøтŠø цŠµ, шуŠŗŠ°Š¹Ń‚Šµ Š² сŠµŃ€ŠµŠ“Š¾Š²Šøщі Š·Š¼Ń–Š½Š½Ńƒ SSLKEYLOGFILE

Š¤Š°Š¹Š» сŠæіŠ»ŃŒŠ½Šøх ŠŗŠ»ŃŽŃ‡Ń–Š² Š²ŠøŠ³Š»ŃŠ“Š°Ń‚ŠøŠ¼Šµ тŠ°Šŗ:

Š©Š¾Š± іŠ¼ŠæŠ¾Ń€Ń‚ŃƒŠ²Š°Ń‚Šø цŠµ Š² Wireshark, ŠæŠµŃ€ŠµŠ¹Š“іть Š“Š¾ _edit > preference > protocol > ssl > і іŠ¼ŠæŠ¾Ń€Ń‚ŃƒŠ¹Ń‚Šµ Š¹Š¾Š³Š¾ Š² (Pre)-Master-Secret log filename:

ADB communication

Š’ŠøтяŠ³Š½Ń–Ń‚ŃŒ APK Š· ADB ŠŗŠ¾Š¼ŃƒŠ½Ń–ŠŗŠ°Ń†Ń–Ń—, Š“Šµ APK Š±ŃƒŠ² Š½Š°Š“ісŠ»Š°Š½ŠøŠ¹:

from scapy.all import *

pcap = rdpcap("final2.pcapng")

def rm_data(data):
splitted = data.split(b"DATA")
if len(splitted) == 1:
return data
else:
return splitted[0]+splitted[1][4:]

all_bytes = b""
for pkt in pcap:
if Raw in pkt:
a = pkt[Raw]
if b"WRTE" == bytes(a)[:4]:
all_bytes += rm_data(bytes(a)[24:])
else:
all_bytes += rm_data(bytes(a))
print(all_bytes)

f = open('all_bytes.data', 'w+b')
f.write(all_bytes)
f.close()

Š’ŠøŠ²Ń‡Š°Š¹Ń‚Šµ тŠ° ŠæрŠ°ŠŗтŠøŠŗуŠ¹Ń‚Šµ AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Š’ŠøŠ²Ń‡Š°Š¹Ń‚Šµ тŠ° ŠæрŠ°ŠŗтŠøŠŗуŠ¹Ń‚Šµ GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

ŠŸŃ–Š“трŠøŠ¼Š°Š¹Ń‚Šµ HackTricks
PreviousWifi Pcap AnalysisNextSpecific Software/File-Type Tricks

Last updated