whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added details about -z

This commit is contained in:
Stefan Friese 2024-06-18 22:26:21 +02:00
parent 2e1d63eab1
commit 54ecb707e6
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Forensics/Wireshark.md
View File

@ -18,6 +18,17 @@ Autostop `-a` and ringbuffer `-b` arguments may be set to stop or split files
at defined duration `duration:10`, sizes `filesize:100`, and count of files at defined duration `duration:10`, sizes `filesize:100`, and count of files
`files:5`. `files:5`.
Use `-z help` to see options of possible statistics, use `-q` to suppress
packet details.
## Find Credentials
Tshark can list all found credentials via the following command
```sh
tshark -r file.pcap -z credentials -q
```
## Extracting USB Keystrokes ## Extracting USB Keystrokes
Data between USB devices and the host can be filtered via tshark in order to Data between USB devices and the host can be filtered via tshark in order to
@ -27,7 +38,8 @@ display just the payload, e.g. keystrokes in the following way
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
``` ```
A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5) A lookup table is needed to [convert the USBHID data to ASCII
values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5)
```sh ```sh
python keystrokedecoder.py output.txt python keystrokedecoder.py output.txt