2.0 KiB
Wireshark
Information about Pcap Files
Get information about a given PCAP file in the following way.
capinfos example.pcap
Show verbose package information and bytes inside the package.
tshark -r example.pcapng -V -x
Autostop -a and ringbuffer -b arguments may be set to stop or split files
at defined duration duration:10, sizes filesize:100, and count of files
files:5.
Extracting USB Keystrokes
Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
A lookup table is needed to convert the USBHID data to ASCII values
python keystrokedecoder.py output.txt
Extracting Payload sent in DNS Request
Search for the DNS requests containing the specific top level domain.
tshark -r capture.pcapng -Y 'dns && ip.dst==167.71.211.113 && (dns contains xyz)' -T fields -e dns.qry.name | awk -F '.' '{print $1}' | uniq > dns.out
NTLMv2 hash Reconstruction via SMBv2
Session setup of SMBv2 leaves enough information to reconstruct the NTLMv2 hash.
Take a look at the second and third packets of the initialization, namely
Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
and Session Setup Request, NTLMSSP_AUTH, User: <DOMAIN\USERNAME>.
The scheme of an NTLMv2 hash is the following.
[User name]::[Domain name]:[NTLM Server Challenge]:[NTProofStr]:[Rest of NTLMv2 Response]
The NTLM Server Challenge can be found inside the Security Blob of the
request from the server.
User name, Domain name and NTLMv2 Response can be found inside the
Security Blob inside the response sent by the client. NTProofStr is the
first part of the NTLM Response. Set a : between NTProofStr and the rest
of the NTLMv2 Response.