whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Forensics/Wireshark.md

75 lines
2.2 KiB
Markdown
Raw Blame History

# Wireshark
## Information about Pcap Files
Get information about a given PCAP file in the following way.
```sh
capinfos example.pcap
```
Show verbose package information and bytes inside the package.
```sh
tshark -r example.pcapng -V -x
```
Autostop `-a` and ringbuffer `-b` arguments may be set to stop or split files
at defined duration `duration:10`, sizes `filesize:100`, and count of files
`files:5`.
Use `-z help` to see options of possible statistics, use `-q` to suppress
packet details.
## Find Credentials
Tshark can list all found credentials via the following command
```sh
tshark -r file.pcap -z credentials -q
```
## Extracting USB Keystrokes
Data between USB devices and the host can be filtered via tshark in order to
display just the payload, e.g. keystrokes in the following way
```sh
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
```
A lookup table is needed to [convert the USBHID data to ASCII
values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5)
```sh
python keystrokedecoder.py output.txt
```
## Extracting Payload sent in DNS Request
Search for the DNS requests containing the specific top level domain.
```sh
tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out
```
## NTLMv2 hash Reconstruction via SMBv2
Session setup of SMBv2 leaves enough information to reconstruct the NTLMv2 hash.
Take a look at the second and third packets of the initialization, namely
`Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE`
and `Session Setup Request, NTLMSSP_AUTH, User: <DOMAIN\USERNAME>`.
The scheme of an NTLMv2 hash is the following.
```
[User name]::[Domain name]:[NTLM Server Challenge]:[NTProofStr]:[Rest of NTLMv2 Response]
```
The `NTLM Server Challenge` can be found inside the `Security Blob` of the
request from the server.
`User name`, `Domain name` and `NTLMv2 Response` can be found inside the
`Security Blob` inside the response sent by the client. `NTProofStr` is the
first part of the `NTLM Response`. Set a `:` between `NTProofStr` and the rest
of the `NTLMv2 Response`.
Reference in New Issue View Git Blame Copy Permalink