killchain-compendium/misc/BPF Filter.md

5.8 KiB

Wireshark BPF Filters

  • This is a collection of bpf and wireshark filters to find specific network situations.

TCP Scans

  • Recognize nmap scans in traffic

TCP Connect Scan

  • Has a TCP window size larger than 1024 bytes

Open TCP Port looks like

SYN -->
<-- SYN, ACK
ACK -->

or

SYN -->
<-- SYN,ACK
ACK -->
RST, ACK -->

Closed TCP Port

SYN -->
<-- RST, ACK
  • Find TCP Connect scan pattern
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024

TCP Half Open SYN Scan

  • Lower or equal to 1024 bytes windows size

Open TCP Port looks like

SYN -->
<-- SYN, ACK
RST -->

Closed TCP Port looks like

SYN -->
<-- RST, ACK
  • Find half open SYN scan pattern
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size <=1024

UDP Scans

Open UDP Port looks like

UDP packet -->

A closed UDP port is recognizable by an ICMP Type 3 reply

UDP packet -->
<-- ICMP Type 3
  • Find UDP scan pattern with closed ports as a reply
icmp.type==3 and icmp.code==3

ARP

  • Find ARP requests
arp.opcode == 1
  • Find ARP responses
arp.opcode == 2
  • Find MAC address
arp.dst.hw_mac == 00:00:DE:AD:BA:BE
  • Detect ARP Poisoning
arp.duplicate-address-detected or arp.duplicate-address-frame
  • Detect ARP Flooding
((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == <TARGET_MAC>)

DHCP Analysis

  • dns or bootp

  • DHCP Request

dhcp.option.dhcp == 3
  • DHCP ACK
 dhcp.option == 5
  • DHCP NAK
dhcp.option == 6
  • Other DHCP options
    • 12 Hostname.
    • 15 domain name
    • 51 Requested IP lease time.
    • 61 Client's MAC address
    • 50 Requested IP address.
    • 51 assigned IP lease time
    • 56 Message rejection details

NetBIOS

  • nbns
  • NetBIOS details are the interesting info, for example
nbns.name contains "foo"

Kerberos

  • kerberos

  • Search for cname information

kerberos.CNameString contains "foo"
  • Find machine hostnames
kerberos.CNameString and !(kerberos.CNameString contains "$")
  • Find Kerberos protocol version
kerberos.pvno == 5
  • Domain name for a created Kerberos ticket
kerberos.realm contains ".foo"
  • Service and domain name for the created Kerberos ticket
kerberos.SNnameString == "krbtg"

Tunneled Traffic

ICMP Exfiltration

  • icmp
  • Check for destination, packet length or encapsulated protocols
icmp && data.len > 64 

DNS Exfiltration

  • dns
  • Check for query length, unusual, encoded or long DNS address name queries
  • Check for dnscat and dns2tcp or high frequency of DNS queries
dns contains "dns2tcp"
dns contains "dnscat"
dns.qry.name.len > 15 !mdns

FTP Traffic

ftp.response.code == 211
  • FTP response codes

    • 211, System status
    • 212, Directory status
    • 213, File status
    • 220, Service ready
    • 227, Entering passive mode
    • 228, Long passive mode
    • 229, Extended passive mode
    • 230, User login
    • 231, User logout
    • 331, Valid username
    • 430, Invalid username or password
    • 530, No login, invalid password
  • Some FTP commands

    • USER, Username
    • PASS, Password
    • CWD, Current work directory
    • LIST, List
  • FTP Commands can be found via

ftp.request.command == "USER"
ftp.request.arg == "password"
  • Bruteforce signal, list failed login attempts
ftp.response.code == 530
  • Bruteforce signal, List target username
(ftp.response.code == 530) && (ftp.response.arg contains "username")
  • Password spray signal, List targets for a static password
(ftp.request.command == "PASS") && (ftp.request.arg == "password")

HTTP

  • http or http2
  • HTTP methods can be searched for
http.request.method == "GET"
http.request
  • HTTP response codes
    • 200, OK
    • 301, Moved Permanently
    • 302, Moved Temporarily
    • 400, Bad Request
    • 401, Unauthorised
    • 403, Forbidden
    • 404, Not Found
    • 405, Method Not Allowed
    • 408, Request Timeout
    • 500, Internal Server Error
    • 503, Service Unavailable
http.response.code == 200
  • HTTP header parameters
http.user_agent contains "nmap"
http.request.uri contains "foo"
http.request.full_uri contains "foo"
  • Other HTTP header parameters
    • Server: Server service name
    • Host: Hostname of the server
    • Connection: Connection status
    • Line-based text data: Cleartext data provided by the server
http.server contains "apache"
http.host contains "keyword"
http.host == "keyword"
http.connection == "Keep-Alive"
data-text-lines contains "keyword"
  • HTTP User Agent and the usual tools to find
http.user_agent
(http.user_agent contains "sqlmap") or (http.user_agent contains "Nmap") or (http.user_agent contains "Wfuzz") or (http.user_agent contains "Nikto")

HTTP and Log4j

http.request.method == "POST"
(ip contains "jndi") or ( ip contains "Exploit")
(frame contains "jndi") or ( frame contains "Exploit")
(http.user_agent contains "$") or (http.user_agent contains "==")

HTTPS

  • Client Hello, (http.request or tls.handshake.type == 1) && !(ssdp)

  • Server Hello,(http.request or tls.handshake.type == 2) && !(ssdp)

  • Put in pre-shared key via Edit --> Preferences --> Protocols --> TLS

  • Get the pre-shared key via

ip xfrm state
  • Alternatively use a Pre-Master-Secret log file to decode TLS

Plain Text Credentials

Tools -> Credentials shows all the plain text credentials inside the pcap file

Firewall ACLs Rules

Create FW ACL rules via Tools -> Firewall ACL Rules. Rule can be created for

  • iptables
  • IOS
  • ipfilter
  • ipfw
  • pf
  • netsh