killchain-compendium/Miscellaneous/BPF Filter.md

# Wireshark BPF Filters

* This is a collection of bpf and wireshark filters to find specific network situations.

## TCP Scans

* Recognize nmap scans in traffic

### TCP Connect Scan

* Has a TCP window size larger than 1024 bytes

Open TCP Port looks like

```sh
SYN -->
<-- SYN, ACK
ACK -->
```

or

```sh
SYN -->
<-- SYN,ACK
ACK -->
RST, ACK -->
```

Closed TCP Port

```sh
SYN -->
<-- RST, ACK
```

* Find TCP Connect scan pattern
```bpf
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024
```

### TCP Half Open SYN Scan

* Lower or equal to 1024 bytes windows size

Open TCP Port looks like

```sh
SYN -->
<-- SYN, ACK
RST -->
```

Closed TCP Port looks like

```sh
SYN -->
<-- RST, ACK
```

* Find half open SYN scan pattern
```bpf
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <=1024
```

## UDP Scans 

Open UDP Port looks like

```sh
UDP packet -->
```

A closed UDP port is recognizable by an ICMP Type 3 reply

```sh
UDP packet -->
<-- ICMP Type 3
```

* Find UDP scan pattern with closed ports as a reply
```bpf
icmp.type==3 and icmp.code==3
```

## ARP

* Find ARP requests
```bpf
arp.opcode == 1
```

* Find ARP responses
```bpf
arp.opcode == 2
```

* Find MAC address
```sh
arp.dst.hw_mac == 00:00:DE:AD:BA:BE
```

* Detect ARP Poisoning
```bpf
arp.duplicate-address-detected or arp.duplicate-address-frame
```

* Detect ARP Flooding
```bpf
((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == <TARGET_MAC>)
```

## DHCP Analysis

* `dns` or `bootp`

* DHCP Request
```sh
dhcp.option.dhcp == 3
```

* DHCP ACK
```sh
 dhcp.option == 5
```


* DHCP NAK
```sh
dhcp.option == 6
```

* Other DHCP options
    * 12 Hostname.
    * 15 domain name
    * 51 Requested IP lease time.
    * 61 Client's MAC address
    * 50 Requested IP address.
    * 51 assigned IP lease time
    * 56 Message rejection details

## NetBIOS

* `nbns`
* NetBIOS details are the interesting info, for example
```sh
nbns.name contains "foo"
```

## Kerberos

* `kerberos`

* Search for cname information
```sh
kerberos.CNameString contains "foo"
```

* Find machine hostnames
```sh
kerberos.CNameString and !(kerberos.CNameString contains "$")
```

* Find Kerberos protocol version
```sh
kerberos.pvno == 5
```

* Domain name for a created Kerberos ticket
```sh
kerberos.realm contains ".foo"
```

* Service and domain name for the created Kerberos ticket
```sh
kerberos.SNnameString == "krbtg"
```

## Tunneled Traffic

### ICMP Exfiltration

* `icmp`
* Check for destination, packet length or encapsulated protocols
```sh
icmp && data.len > 64 
```

### DNS Exfiltration

* `dns`
* Check for query length, unusual, encoded or long DNS address name queries
* Check for dnscat and dns2tcp or high frequency of DNS queries
```sh
dns contains "dns2tcp"
dns contains "dnscat"
dns.qry.name.len > 15 !mdns
```

## FTP Traffic

```sh
ftp.response.code == 211
```
* FTP response codes
    * __211__, System status
    * __212__, Directory status
    * __213__, File status
    * __220__, Service ready
    * __227__, Entering passive mode
    * __228__, Long passive mode
    * __229__, Extended passive mode
    * __230__, User login
    * __231__, User logout
    * __331__, Valid username
    * __430__, Invalid username or password
    * __530__, No login, invalid password

* Some FTP commands
    * __USER__, Username
    * __PASS__, Password
    * __CWD__, Current work directory
    * __LIST__, List

* FTP Commands can be found via
```sh
ftp.request.command == "USER"
ftp.request.arg == "password"
```

* __Bruteforce signal__, list failed login attempts
```sh
ftp.response.code == 530
```

* __Bruteforce signal__, List target username
```sh
(ftp.response.code == 530) && (ftp.response.arg contains "username")
```

* __Password spray signal__, List targets for a static password
```sh
(ftp.request.command == "PASS") && (ftp.request.arg == "password")
```

## HTTP

* `http` or `http2`
* HTTP methods can be searched for 
```sh
http.request.method == "GET"
http.request
```

* HTTP response codes
    * __200__, OK
    * __301__, Moved Permanently
    * __302__, Moved Temporarily
    * __400__, Bad Request
    * __401__, Unauthorised
    * __403__, Forbidden
    * __404__, Not Found
    * __405__, Method Not Allowed
    * __408__, Request Timeout
    * __500__, Internal Server Error
    * __503__, Service Unavailable
```sh
http.response.code == 200
```

* HTTP header parameters
```sh
http.user_agent contains "nmap"
http.request.uri contains "foo"
http.request.full_uri contains "foo"
```

* Other HTTP header parameters
    * __Server__: Server service name
    * __Host__: Hostname of the server
    * __Connection__: Connection status
    * __Line-based text data__: Cleartext data provided by the server
```sh
http.server contains "apache"
http.host contains "keyword"
http.host == "keyword"
http.connection == "Keep-Alive"
data-text-lines contains "keyword"
```

* HTTP User Agent and the usual tools to find
```sh
http.user_agent
(http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto")
```

### HTTP and Log4j

```sh
http.request.method == "POST"
(ip contains "jndi") or ( ip contains "Exploit")
(frame contains "jndi") or ( frame contains "Exploit")
(http.user_agent contains "$") or (http.user_agent contains "==")
```

## HTTPS

* __Client Hello__, (http.request or tls.handshake.type == 1) && !(ssdp) 
* __Server Hello__,(http.request or tls.handshake.type == 2) && !(ssdp)  

* Put in pre-shared key via `Edit --> Preferences --> Protocols --> TLS`
* __Get the pre-shared key via__
```sh
ip xfrm state
```
* Alternatively use a Pre-Master-Secret log file to decode TLS


## Plain Text Credentials

`Tools` -> `Credentials` shows all the plain text credentials inside the pcap file

## Firewall ACLs Rules

Create FW ACL rules via `Tools` -> `Firewall ACL Rules`. Rule can be created for
* iptables
* IOS
* ipfilter
* ipfw
* pf
* netsh