whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more info

This commit is contained in:
gurkenhabicht 2024-06-05 18:29:27 +02:00
parent 83d452c487
commit c3363c2f7c
1 changed files with 28 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Forensics/Wireshark.md
View File

@ -1,20 +1,42 @@
# Wireshark # Wireshark
## Information about Pcap Files
Get information about a given PCAP file in the following way.
```sh
capinfos example.pcap
```
Show verbose package information and bytes inside the package.
```sh
tshark -r example.pcapng -V -x
```
Autostop `-a` and ringbuffer `-b` arguments may be set to stop or split files
at defined duration `duration:10`, sizes `filesize:100`, and count of files
`files:5`.
## Extracting USB Keystrokes ## Extracting USB Keystrokes
* Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way Data between USB devices and the host can be filtered via tshark in order to
display just the payload, e.g. keystrokes in the following way
```sh ```sh
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
``` ```
* A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5) A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5)
```
```sh
python keystrokedecoder.py output.txt python keystrokedecoder.py output.txt
``` ```
## Extracting Payload sent in DNS Request ## Extracting Payload sent in DNS Request
Search for the DNS requests containing the specific top level domain. Search for the DNS requests containing the specific top level domain.
```sh ```sh
tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out
``` ```
@ -36,4 +58,5 @@ The `NTLM Server Challenge` can be found inside the `Security Blob` of the
request from the server. request from the server.
`User name`, `Domain name` and `NTLMv2 Response` can be found inside the `User name`, `Domain name` and `NTLMv2 Response` can be found inside the
`Security Blob` inside the response sent by the client. `NTProofStr` is the `Security Blob` inside the response sent by the client. `NTProofStr` is the
first part of the `NTLM Response`. Set a `:` between `NTProofStr` and the rest of the `NTLMv2 Response`. first part of the `NTLM Response`. Set a `:` between `NTProofStr` and the rest
of the `NTLMv2 Response`.