# Wireshark BPF Filters * This is a collection of bpf and wireshark filters to find specific network situations. ## TCP Scans * Recognize nmap scans in traffic ### TCP Connect Scan * Has a TCP window size larger than 1024 bytes Open TCP Port looks like ```sh SYN --> <-- SYN, ACK ACK --> ``` or ```sh SYN --> <-- SYN,ACK ACK --> RST, ACK --> ``` Closed TCP Port ```sh SYN --> <-- RST, ACK ``` * Find TCP Connect scan pattern ```bpf tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024 ``` ### TCP Half Open SYN Scan * Lower or equal to 1024 bytes windows size Open TCP Port looks like ```sh SYN --> <-- SYN, ACK RST --> ``` Closed TCP Port looks like ```sh SYN --> <-- RST, ACK ``` * Find half open SYN scan pattern ```bpf tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <=1024 ``` ## UDP Scans Open UDP Port looks like ```sh UDP packet --> ``` A closed UDP port is recognizable by an ICMP Type 3 reply ```sh UDP packet --> <-- ICMP Type 3 ``` * Find UDP scan pattern with closed ports as a reply ```bpf icmp.type==3 and icmp.code==3 ``` ## ARP * Find ARP requests ```bpf arp.opcode == 1 ``` * Find ARP responses ```bpf arp.opcode == 2 ``` * Find MAC address ```sh arp.dst.hw_mac == 00:00:DE:AD:BA:BE ``` * Detect ARP Poisoning ```bpf arp.duplicate-address-detected or arp.duplicate-address-frame ``` * Detect ARP Flooding ```bpf ((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == ) ``` ## DHCP Analysis * `dns` or `bootp` * DHCP Request ```sh dhcp.option.dhcp == 3 ``` * DHCP ACK ```sh dhcp.option == 5 ``` * DHCP NAK ```sh dhcp.option == 6 ``` * Other DHCP options * 12 Hostname. * 15 domain name * 51 Requested IP lease time. * 61 Client's MAC address * 50 Requested IP address. * 51 assigned IP lease time * 56 Message rejection details ## NetBIOS * `nbns` * NetBIOS details are the interesting info, for example ```sh nbns.name contains "foo" ``` ## Kerberos * `kerberos` * Search for cname information ```sh kerberos.CNameString contains "foo" ``` * Find machine hostnames ```sh kerberos.CNameString and !(kerberos.CNameString contains "$") ``` * Find Kerberos protocol version ```sh kerberos.pvno == 5 ``` * Domain name for a created Kerberos ticket ```sh kerberos.realm contains ".foo" ``` * Service and domain name for the created Kerberos ticket ```sh kerberos.SNnameString == "krbtg" ``` ## Tunneled Traffic ### ICMP Exfiltration * `icmp` * Check for destination, packet length or encapsulated protocols ```sh icmp && data.len > 64 ``` ### DNS Exfiltration * `dns` * Check for query length, unusual, encoded or long DNS address name queries * Check for dnscat and dns2tcp or high frequency of DNS queries ```sh dns contains "dns2tcp" dns contains "dnscat" dns.qry.name.len > 15 !mdns ``` ## FTP Traffic ```sh ftp.response.code == 211 ``` * FTP response codes * __211__, System status * __212__, Directory status * __213__, File status * __220__, Service ready * __227__, Entering passive mode * __228__, Long passive mode * __229__, Extended passive mode * __230__, User login * __231__, User logout * __331__, Valid username * __430__, Invalid username or password * __530__, No login, invalid password * Some FTP commands * __USER__, Username * __PASS__, Password * __CWD__, Current work directory * __LIST__, List * FTP Commands can be found via ```sh ftp.request.command == "USER" ftp.request.arg == "password" ``` * __Bruteforce signal__, list failed login attempts ```sh ftp.response.code == 530 ``` * __Bruteforce signal__, List target username ```sh (ftp.response.code == 530) && (ftp.response.arg contains "username") ``` * __Password spray signal__, List targets for a static password ```sh (ftp.request.command == "PASS") && (ftp.request.arg == "password") ``` ## HTTP * `http` or `http2` * HTTP methods can be searched for ```sh http.request.method == "GET" http.request ``` * HTTP response codes * __200__, OK * __301__, Moved Permanently * __302__, Moved Temporarily * __400__, Bad Request * __401__, Unauthorised * __403__, Forbidden * __404__, Not Found * __405__, Method Not Allowed * __408__, Request Timeout * __500__, Internal Server Error * __503__, Service Unavailable ```sh http.response.code == 200 ``` * HTTP header parameters ```sh http.user_agent contains "nmap" http.request.uri contains "foo" http.request.full_uri contains "foo" ``` * Other HTTP header parameters * __Server__: Server service name * __Host__: Hostname of the server * __Connection__: Connection status * __Line-based text data__: Cleartext data provided by the server ```sh http.server contains "apache" http.host contains "keyword" http.host == "keyword" http.connection == "Keep-Alive" data-text-lines contains "keyword" ``` * HTTP User Agent and the usual tools to find ```sh http.user_agent (http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto") ``` ### HTTP and Log4j ```sh http.request.method == "POST" (ip contains "jndi") or ( ip contains "Exploit") (frame contains "jndi") or ( frame contains "Exploit") (http.user_agent contains "$") or (http.user_agent contains "==") ``` ## HTTPS * __Client Hello__, (http.request or tls.handshake.type == 1) && !(ssdp) * __Server Hello__,(http.request or tls.handshake.type == 2) && !(ssdp) * Put in pre-shared key via `Edit --> Preferences --> Protocols --> TLS` * __Get the pre-shared key via__ ```sh ip xfrm state ``` * Alternatively use a Pre-Master-Secret log file to decode TLS ## Plain Text Credentials `Tools` -> `Credentials` shows all the plain text credentials inside the pcap file ## Firewall ACLs Rules Create FW ACL rules via `Tools` -> `Firewall ACL Rules`. Rule can be created for * iptables * IOS * ipfilter * ipfw * pf * netsh