killchain-compendium/Miscellaneous/BPF Filter.md

Wireshark BPF Filters

• This is a collection of bpf and wireshark filters to find specific network situations.

TCP Scans

• Recognize nmap scans in traffic

TCP Connect Scan

• Has a TCP window size larger than 1024 bytes

Open TCP Port looks like

SYN -->
<-- SYN, ACK
ACK -->

or

SYN -->
<-- SYN,ACK
ACK -->
RST, ACK -->

Closed TCP Port

SYN -->
<-- RST, ACK

• Find TCP Connect scan pattern

tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024

TCP Half Open SYN Scan

• Lower or equal to 1024 bytes windows size

Open TCP Port looks like

SYN -->
<-- SYN, ACK
RST -->

Closed TCP Port looks like

SYN -->
<-- RST, ACK

• Find half open SYN scan pattern

tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <=1024

UDP Scans

Open UDP Port looks like

UDP packet -->

A closed UDP port is recognizable by an ICMP Type 3 reply

UDP packet -->
<-- ICMP Type 3

• Find UDP scan pattern with closed ports as a reply

icmp.type==3 and icmp.code==3

ARP

• Find ARP requests

arp.opcode == 1

• Find ARP responses

arp.opcode == 2

• Find MAC address

arp.dst.hw_mac == 00:00:DE:AD:BA:BE

• Detect ARP Poisoning

arp.duplicate-address-detected or arp.duplicate-address-frame

• Detect ARP Flooding

((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == <TARGET_MAC>)

DHCP Analysis

• dns or bootp

• DHCP Request

dhcp.option.dhcp == 3

• DHCP ACK

 dhcp.option == 5

• DHCP NAK

dhcp.option == 6

• Other DHCP options
  • 12 Hostname.
  • 15 domain name
  • 51 Requested IP lease time.
  • 61 Client's MAC address
  • 50 Requested IP address.
  • 51 assigned IP lease time
  • 56 Message rejection details

NetBIOS

• nbns
• NetBIOS details are the interesting info, for example

nbns.name contains "foo"

Kerberos

• kerberos

• Search for cname information

kerberos.CNameString contains "foo"

• Find machine hostnames

kerberos.CNameString and !(kerberos.CNameString contains "$")

• Find Kerberos protocol version

kerberos.pvno == 5

• Domain name for a created Kerberos ticket

kerberos.realm contains ".foo"

• Service and domain name for the created Kerberos ticket

kerberos.SNnameString == "krbtg"

Tunneled Traffic

ICMP Exfiltration

• icmp
• Check for destination, packet length or encapsulated protocols

icmp && data.len > 64 

DNS Exfiltration

• dns
• Check for query length, unusual, encoded or long DNS address name queries
• Check for dnscat and dns2tcp or high frequency of DNS queries

dns contains "dns2tcp"
dns contains "dnscat"
dns.qry.name.len > 15 !mdns

FTP Traffic

ftp.response.code == 211

• FTP response codes

  • 211, System status
  • 212, Directory status
  • 213, File status
  • 220, Service ready
  • 227, Entering passive mode
  • 228, Long passive mode
  • 229, Extended passive mode
  • 230, User login
  • 231, User logout
  • 331, Valid username
  • 430, Invalid username or password
  • 530, No login, invalid password

• Some FTP commands

  • USER, Username
  • PASS, Password
  • CWD, Current work directory
  • LIST, List

• FTP Commands can be found via

ftp.request.command == "USER"
ftp.request.arg == "password"

• Bruteforce signal, list failed login attempts

ftp.response.code == 530

• Bruteforce signal, List target username

(ftp.response.code == 530) && (ftp.response.arg contains "username")

• Password spray signal, List targets for a static password

(ftp.request.command == "PASS") && (ftp.request.arg == "password")

HTTP

• http or http2
• HTTP methods can be searched for

http.request.method == "GET"
http.request

• HTTP response codes
  • 200, OK
  • 301, Moved Permanently
  • 302, Moved Temporarily
  • 400, Bad Request
  • 401, Unauthorised
  • 403, Forbidden
  • 404, Not Found
  • 405, Method Not Allowed
  • 408, Request Timeout
  • 500, Internal Server Error
  • 503, Service Unavailable

http.response.code == 200

• HTTP header parameters

http.user_agent contains "nmap"
http.request.uri contains "foo"
http.request.full_uri contains "foo"

• Other HTTP header parameters
  • Server: Server service name
  • Host: Hostname of the server
  • Connection: Connection status
  • Line-based text data: Cleartext data provided by the server

http.server contains "apache"
http.host contains "keyword"
http.host == "keyword"
http.connection == "Keep-Alive"
data-text-lines contains "keyword"

• HTTP User Agent and the usual tools to find

http.user_agent
(http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto")

HTTP and Log4j

http.request.method == "POST"
(ip contains "jndi") or ( ip contains "Exploit")
(frame contains "jndi") or ( frame contains "Exploit")
(http.user_agent contains "$") or (http.user_agent contains "==")

HTTPS

• Client Hello, (http.request or tls.handshake.type == 1) && !(ssdp)

• Server Hello,(http.request or tls.handshake.type == 2) && !(ssdp)

• Put in pre-shared key via Edit --> Preferences --> Protocols --> TLS

• Get the pre-shared key via

ip xfrm state

• Alternatively use a Pre-Master-Secret log file to decode TLS

Plain Text Credentials

Tools -> Credentials shows all the plain text credentials inside the pcap file

Firewall ACLs Rules

Create FW ACL rules via Tools -> Firewall ACL Rules. Rule can be created for

• iptables
• IOS
• ipfilter
• ipfw
• pf
• netsh