A powerful tool in any security practitioners toolkit is WireShark. Having a basic understanding of wireshark usage and filters can be a time saver when you are wanting to quickly look at some “interesting” data on the wires (or wifis). Hopefully this short wireshark tutorial and cheatsheet will help you get started.
Before we get started, for those command line orientated or if you just want to run some wireshark decoding on your headless (no gui) linux server, tshark is the command line version of wireshark that is an excellent alternative.
Wireshark will run on a variety of operating systems, we will touch on Ubuntu Linux, Centos and Windows.
If you are using Ubuntu you are in luck.
#apt-get update
#apt-get install wireshark tshark
If you are using Fedora or CentOS:
#yum install wireshark-gnome
On Windows you are probably familiar with going to the download page, download the executable – and run it to install. You will also be installing (during the install) a packet capture driver to allow the network card to enter promiscous mode.
Looking at the wireshark interface, it is clear that you can quickly browse through the different packets that have been captured, you dive into the packet to see all the details right down to the ASCII text that is sent in the clear on unencrypted text based transactions.
Many beginners fail to recognise an excellent and handy feature – the follow tcp stream option. Select a tcp packet and right click on follow tcp stream. This will show you a summary of that entire stream that has been captured. Doing this you can quickly view the source of entire web pages, emails or IRC chat logs for example. Can make you rethink your use of encrypted protocols seeing it so easily. Especially if you capture some pop3 / telnet / ftp username password combinations.
Wireshark and Tshark Filters Cheat Sheet:
These are pretty self explanatory – enter these expressions into the filter bar or on the command line if using tshark. You can quickly deduce how to filter out the noise and get to the packets you want.
eth.addr == 00:11:11:00:11:15
ip.addr == 192.168.0.5
!(ip.addr == 192.168.0.5)
tcp
udp
!(tcp.port == 53)
tcp.port == 80 || udp.port == 80
http
not arp and not (udp.port == 53)
not (tcp.port == 80) and not (tcp.port == 25) and ip.addr == 192.168.0.5
Interested in how noisy the tools on HackerTarget.com are? Fire up wireshark and run a couple of scans, try Nikto and nmap to start with.
Wireshark
Wireshark Download
Wireshark Manual and User Guide
No comments:
Post a Comment