# Wireshark ## Extracting USB Keystrokes * Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way ```sh tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt ``` * A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5) ``` python keystrokedecoder.py output.txt ``` ## Extracting Payload sent in DNS Request Search for the DNS requests containing the specific top level domain. ```sh tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out ``` ## NTLMv2 hash Reconstruction via SMBv2 Session setup of SMBv2 leaves enough information to reconstruct the NTLMv2 hash. Take a look at the second and third packets of the initialization, namely `Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE` and `Session Setup Request, NTLMSSP_AUTH, User: `. The scheme of an NTLMv2 hash is the following. ``` [User name]::[Domain name]:[NTLM Server Challenge]:[NTProofStr]:[Rest of NTLMv2 Response] ``` The `NTLM Server Challenge` can be found inside the `Security Blob` of the request from the server. `User name`, `Domain name` and `NTLMv2 Response` can be found inside the `Security Blob` inside the response sent by the client. `NTProofStr` is the first part of the `NTLM Response`. Set a `:` between `NTProofStr` and the rest of the `NTLMv2 Response`.