bpf wireshark filters

misc/BPF Filter.md

@@ -1,4 +1,4 @@
-# BPF Filters
+# Wireshark BPF Filters
 
 * This is a collection of bpf and wireshark filters to find specific network situations.
 
@@ -36,7 +36,7 @@ SYN -->
 
 * Find TCP Connect scan pattern
 ```bpf
-tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.window_size > 1024
+tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024
 ```
 
 ### TCP Half Open SYN Scan
@@ -60,7 +60,7 @@ SYN -->
 
 * Find half open SYN scan pattern
 ```bpf
-tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <=1024
+tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <=1024
 ```
 
 ## UDP Scans 
@@ -83,3 +83,251 @@ UDP packet -->
 icmp.type==3 and icmp.code==3
 ```
 
+## ARP
+
+* Find ARP requests
+```bpf
+arp.opcode == 1
+```
+
+* Find ARP responses
+```bpf
+arp.opcode == 2
+```
+
+* Find MAC address
+```sh
+arp.dst.hw_mac == 00:00:DE:AD:BA:BE
+```
+
+* Detect ARP Poisoning
+```bpf
+arp.duplicate-address-detected or arp.duplicate-address-frame
+```
+
+* Detect ARP Flooding
+```bpf
+((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == <TARGET_MAC>)
+```
+
+## DHCP Analysis
+
+* `dns` or `bootp`
+
+* DHCP Request
+```sh
+dhcp.option.dhcp == 3
+```
+
+* DHCP ACK
+```sh
+ dhcp.option == 5
+```
+
+
+* DHCP NAK
+```sh
+dhcp.option == 6
+```
+
+* Other DHCP options
+    * 12 Hostname.
+    * 15 domain name
+    * 51 Requested IP lease time.
+    * 61 Client's MAC address
+    * 50 Requested IP address.
+    * 51 assigned IP lease time
+    * 56 Message rejection details
+
+## NetBIOS
+
+* `nbns`
+* NetBIOS details are the interesting info, for example
+```sh
+nbns.name contains "foo"
+```
+
+## Kerberos
+
+* `kerberos`
+
+* Search for cname information
+```sh
+kerberos.CNameString contains "foo"
+```
+
+* Find machine hostnames
+```sh
+kerberos.CNameString and !(kerberos.CNameString contains "$")
+```
+
+* Find Kerberos protocol version
+```sh
+kerberos.pvno == 5
+```
+
+* Domain name for a created Kerberos ticket
+```sh
+kerberos.realm contains ".foo"
+```
+
+* Service and domain name for the created Kerberos ticket
+```sh
+kerberos.SNnameString == "krbtg"
+```
+
+## Tunneled Traffic
+
+### ICMP Exfiltration
+
+* `icmp`
+* Check for destination, packet length or encapsulated protocols
+```sh
+icmp && data.len > 64 
+```
+
+### DNS Exfiltration
+
+* `dns`
+* Check for query length, unusual, encoded or long DNS address name queries
+* Check for dnscat and dns2tcp or high frequency of DNS queries
+```sh
+dns contains "dns2tcp"
+dns contains "dnscat"
+dns.qry.name.len > 15 !mdns
+```
+
+## FTP Traffic
+
+```sh
+ftp.response.code == 211
+```
+* FTP response codes
+    * __211__, System status
+    * __212__, Directory status
+    * __213__, File status
+    * __220__, Service ready
+    * __227__, Entering passive mode
+    * __228__, Long passive mode
+    * __229__, Extended passive mode
+    * __230__, User login
+    * __231__, User logout
+    * __331__, Valid username
+    * __430__, Invalid username or password
+    * __530__, No login, invalid password
+
+* Some FTP commands
+    * __USER__, Username
+    * __PASS__, Password
+    * __CWD__, Current work directory
+    * __LIST__, List
+
+* FTP Commands can be found via
+```sh
+ftp.request.command == "USER"
+ftp.request.arg == "password"
+```
+
+* __Bruteforce signal__, list failed login attempts
+```sh
+ftp.response.code == 530
+```
+
+* __Bruteforce signal__, List target username
+```sh
+(ftp.response.code == 530) && (ftp.response.arg contains "username")
+```
+
+* __Password spray signal__, List targets for a static password
+```sh
+(ftp.request.command == "PASS") && (ftp.request.arg == "password")
+```
+
+## HTTP
+
+* `http` or `http2`
+* HTTP methods can be searched for 
+```sh
+http.request.method == "GET"
+http.request
+```
+
+* HTTP response codes
+    * __200__, OK
+    * __301__, Moved Permanently
+    * __302__, Moved Temporarily
+    * __400__, Bad Request
+    * __401__, Unauthorised
+    * __403__, Forbidden
+    * __404__, Not Found
+    * __405__, Method Not Allowed
+    * __408__, Request Timeout
+    * __500__, Internal Server Error
+    * __503__, Service Unavailable
+```sh
+http.response.code == 200
+```
+
+* HTTP header parameters
+```sh
+http.user_agent contains "nmap"
+http.request.uri contains "foo"
+http.request.full_uri contains "foo"
+```
+
+* Other HTTP header parameters
+    * __Server__: Server service name
+    * __Host__: Hostname of the server
+    * __Connection__: Connection status
+    * __Line-based text data__: Cleartext data provided by the server
+```sh
+http.server contains "apache"
+http.host contains "keyword"
+http.host == "keyword"
+http.connection == "Keep-Alive"
+data-text-lines contains "keyword"
+```
+
+* HTTP User Agent and the usual tools to find
+```sh
+http.user_agent
+(http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto")
+```
+
+### HTTP and Log4j
+
+```sh
+http.request.method == "POST"
+(ip contains "jndi") or ( ip contains "Exploit")
+(frame contains "jndi") or ( frame contains "Exploit")
+(http.user_agent contains "$") or (http.user_agent contains "==")
+```
+
+## HTTPS
+
+* __Client Hello__, (http.request or tls.handshake.type == 1) && !(ssdp) 
+* __Server Hello__,(http.request or tls.handshake.type == 2) && !(ssdp)  
+
+* Put in pre-shared key via `Edit --> Preferences --> Protocols --> TLS`
+* __Get the pre-shared key via__
+```sh
+ip xfrm state
+```
+* Alternatively use a Pre-Master-Secret log file to decode TLS
+
+
+## Plain Text Credentials
+
+`Tools` -> `Credentials` shows all the plain text credentials inside the pcap file
+
+## Firewall ACLs Rules
+
+Create FW ACL rules via `Tools` -> `Firewall ACL Rules`. Rule can be created for
+* iptables
+* IOS
+* ipfilter
+* ipfw
+* pf
+* netsh
+
+