From 26fff11d2757d0269ecc126e429c00e24547935d Mon Sep 17 00:00:00 2001 From: whx Date: Sat, 15 Oct 2022 23:55:38 +0200 Subject: [PATCH] bpf wireshark filters --- misc/BPF Filter.md | 254 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 251 insertions(+), 3 deletions(-) diff --git a/misc/BPF Filter.md b/misc/BPF Filter.md index ed4b649..72897ed 100644 --- a/misc/BPF Filter.md +++ b/misc/BPF Filter.md @@ -1,4 +1,4 @@ -# BPF Filters +# Wireshark BPF Filters * This is a collection of bpf and wireshark filters to find specific network situations. @@ -36,7 +36,7 @@ SYN --> * Find TCP Connect scan pattern ```bpf -tcp.flags.syn == 1 and tcp.flags.ack==0 and tcp.window_size > 1024 +tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024 ``` ### TCP Half Open SYN Scan @@ -60,7 +60,7 @@ SYN --> * Find half open SYN scan pattern ```bpf -tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <=1024 +tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <=1024 ``` ## UDP Scans @@ -83,3 +83,251 @@ UDP packet --> icmp.type==3 and icmp.code==3 ``` +## ARP + +* Find ARP requests +```bpf +arp.opcode == 1 +``` + +* Find ARP responses +```bpf +arp.opcode == 2 +``` + +* Find MAC address +```sh +arp.dst.hw_mac == 00:00:DE:AD:BA:BE +``` + +* Detect ARP Poisoning +```bpf +arp.duplicate-address-detected or arp.duplicate-address-frame +``` + +* Detect ARP Flooding +```bpf +((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == ) +``` + +## DHCP Analysis + +* `dns` or `bootp` + +* DHCP Request +```sh +dhcp.option.dhcp == 3 +``` + +* DHCP ACK +```sh + dhcp.option == 5 +``` + + +* DHCP NAK +```sh +dhcp.option == 6 +``` + +* Other DHCP options + * 12 Hostname. + * 15 domain name + * 51 Requested IP lease time. + * 61 Client's MAC address + * 50 Requested IP address. + * 51 assigned IP lease time + * 56 Message rejection details + +## NetBIOS + +* `nbns` +* NetBIOS details are the interesting info, for example +```sh +nbns.name contains "foo" +``` + +## Kerberos + +* `kerberos` + +* Search for cname information +```sh +kerberos.CNameString contains "foo" +``` + +* Find machine hostnames +```sh +kerberos.CNameString and !(kerberos.CNameString contains "$") +``` + +* Find Kerberos protocol version +```sh +kerberos.pvno == 5 +``` + +* Domain name for a created Kerberos ticket +```sh +kerberos.realm contains ".foo" +``` + +* Service and domain name for the created Kerberos ticket +```sh +kerberos.SNnameString == "krbtg" +``` + +## Tunneled Traffic + +### ICMP Exfiltration + +* `icmp` +* Check for destination, packet length or encapsulated protocols +```sh +icmp && data.len > 64 +``` + +### DNS Exfiltration + +* `dns` +* Check for query length, unusual, encoded or long DNS address name queries +* Check for dnscat and dns2tcp or high frequency of DNS queries +```sh +dns contains "dns2tcp" +dns contains "dnscat" +dns.qry.name.len > 15 !mdns +``` + +## FTP Traffic + +```sh +ftp.response.code == 211 +``` +* FTP response codes + * __211__, System status + * __212__, Directory status + * __213__, File status + * __220__, Service ready + * __227__, Entering passive mode + * __228__, Long passive mode + * __229__, Extended passive mode + * __230__, User login + * __231__, User logout + * __331__, Valid username + * __430__, Invalid username or password + * __530__, No login, invalid password + +* Some FTP commands + * __USER__, Username + * __PASS__, Password + * __CWD__, Current work directory + * __LIST__, List + +* FTP Commands can be found via +```sh +ftp.request.command == "USER" +ftp.request.arg == "password" +``` + +* __Bruteforce signal__, list failed login attempts +```sh +ftp.response.code == 530 +``` + +* __Bruteforce signal__, List target username +```sh +(ftp.response.code == 530) && (ftp.response.arg contains "username") +``` + +* __Password spray signal__, List targets for a static password +```sh +(ftp.request.command == "PASS") && (ftp.request.arg == "password") +``` + +## HTTP + +* `http` or `http2` +* HTTP methods can be searched for +```sh +http.request.method == "GET" +http.request +``` + +* HTTP response codes + * __200__, OK + * __301__, Moved Permanently + * __302__, Moved Temporarily + * __400__, Bad Request + * __401__, Unauthorised + * __403__, Forbidden + * __404__, Not Found + * __405__, Method Not Allowed + * __408__, Request Timeout + * __500__, Internal Server Error + * __503__, Service Unavailable +```sh +http.response.code == 200 +``` + +* HTTP header parameters +```sh +http.user_agent contains "nmap" +http.request.uri contains "foo" +http.request.full_uri contains "foo" +``` + +* Other HTTP header parameters + * __Server__: Server service name + * __Host__: Hostname of the server + * __Connection__: Connection status + * __Line-based text data__: Cleartext data provided by the server +```sh +http.server contains "apache" +http.host contains "keyword" +http.host == "keyword" +http.connection == "Keep-Alive" +data-text-lines contains "keyword" +``` + +* HTTP User Agent and the usual tools to find +```sh +http.user_agent +(http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto") +``` + +### HTTP and Log4j + +```sh +http.request.method == "POST" +(ip contains "jndi") or ( ip contains "Exploit") +(frame contains "jndi") or ( frame contains "Exploit") +(http.user_agent contains "$") or (http.user_agent contains "==") +``` + +## HTTPS + +* __Client Hello__, (http.request or tls.handshake.type == 1) && !(ssdp) +* __Server Hello__,(http.request or tls.handshake.type == 2) && !(ssdp) + +* Put in pre-shared key via `Edit --> Preferences --> Protocols --> TLS` +* __Get the pre-shared key via__ +```sh +ip xfrm state +``` +* Alternatively use a Pre-Master-Secret log file to decode TLS + + +## Plain Text Credentials + +`Tools` -> `Credentials` shows all the plain text credentials inside the pcap file + +## Firewall ACLs Rules + +Create FW ACL rules via `Tools` -> `Firewall ACL Rules`. Rule can be created for +* iptables +* IOS +* ipfilter +* ipfw +* pf +* netsh + +