hacktricks/generic-methodologies-and-resources/basic-forensic-methodology/pcap-inspection/wireshark-tricks.md

Wireshark tricks

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

WhiteIntel

WhiteIntel ni injini ya kutafuta inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia kama kampuni au wateja wake wamekuwa compromised na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.

Unaweza kuangalia tovuti yao na kujaribu injini yao kwa bure kwenye:

{% embed url="https://whiteintel.io" %}

---

Improve your Wireshark skills

Tutorials

Mafunzo yafuatayo ni mazuri kujifunza mbinu za msingi:

• https://unit42.paloaltonetworks.com/unit42-customizing-wireshark-changing-column-display/
• https://unit42.paloaltonetworks.com/using-wireshark-display-filter-expressions/
• https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-users/
• https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/

Analysed Information

Expert Information

Kubofya kwenye Analyze --> Expert Information utapata muonekano wa kile kinachotokea katika pakiti zilizochambuliwa:

Resolved Addresses

Chini ya Statistics --> Resolved Addresses unaweza kupata taarifa kadhaa ambazo zimekuwa "resolved" na wireshark kama port/transport hadi protocol, MAC hadi mtengenezaji, nk. Ni ya kuvutia kujua kile kinachohusika katika mawasiliano.

Protocol Hierarchy

Chini ya Statistics --> Protocol Hierarchy unaweza kupata protocols zinazo husika katika mawasiliano na data kuhusu hizo.

Conversations

Chini ya Statistics --> Conversations unaweza kupata muhtasari wa mazungumzo katika mawasiliano na data kuhusu hizo.

Endpoints

Chini ya Statistics --> Endpoints unaweza kupata muhtasari wa endpoints katika mawasiliano na data kuhusu kila moja yao.

DNS info

Chini ya Statistics --> DNS unaweza kupata takwimu kuhusu ombi la DNS lililokamatwa.

I/O Graph

Chini ya Statistics --> I/O Graph unaweza kupata grafu ya mawasiliano.

Filters

Hapa unaweza kupata chujio za wireshark kulingana na protocol: https://www.wireshark.org/docs/dfref/
Chujio zingine za kuvutia:

• (http.request or ssl.handshake.type == 1) and !(udp.port eq 1900)
• HTTP na trafiki ya mwanzo ya HTTPS
• (http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002) and !(udp.port eq 1900)
• HTTP na trafiki ya mwanzo ya HTTPS + TCP SYN
• (http.request or ssl.handshake.type == 1 or tcp.flags eq 0x0002 or dns) and !(udp.port eq 1900)
• HTTP na trafiki ya mwanzo ya HTTPS + TCP SYN + maombi ya DNS

Search

Ikiwa unataka kutafuta maudhui ndani ya pakiti za vikao bonyeza CTRL+f. Unaweza kuongeza tabaka mpya kwenye bar ya habari kuu (No., Wakati, Chanzo, nk.) kwa kubonyeza kitufe cha kulia na kisha kuhariri safu.

Free pcap labs

Fanya mazoezi na changamoto za bure za: https://www.malware-traffic-analysis.net/

Identifying Domains

Unaweza kuongeza safu inayonyesha kichwa cha HTTP cha Host:

Na safu inayoongeza jina la Server kutoka kwa muunganisho wa HTTPS unaoanzisha (ssl.handshake.type == 1):

Identifying local hostnames

From DHCP

Katika Wireshark ya sasa badala ya bootp unahitaji kutafuta DHCP

From NBNS

Decrypting TLS

Decrypting https traffic with server private key

edit>preference>protocol>ssl>

Bonyeza Edit na ongeza data zote za server na funguo binafsi (IP, Port, Protocol, Key file na password)

Decrypting https traffic with symmetric session keys

Firefox na Chrome zina uwezo wa kurekodi funguo za kikao za TLS, ambazo zinaweza kutumika na Wireshark kufungua trafiki ya TLS. Hii inaruhusu uchambuzi wa kina wa mawasiliano salama. Maelezo zaidi juu ya jinsi ya kufanya ufunguo huu yanaweza kupatikana katika mwongozo kwenye Red Flag Security.

Ili kugundua hii tafuta ndani ya mazingira kwa variable SSLKEYLOGFILE

Faili ya funguo zilizoshirikiwa itakuwa na muonekano huu:

Ili kuingiza hii katika wireshark nenda kwa _edit > preference > protocol > ssl > na uingize katika (Pre)-Master-Secret log filename:

ADB communication

Toa APK kutoka kwa mawasiliano ya ADB ambapo APK ilitumwa:

from scapy.all import *

pcap = rdpcap("final2.pcapng")

def rm_data(data):
splitted = data.split(b"DATA")
if len(splitted) == 1:
return data
else:
return splitted[0]+splitted[1][4:]

all_bytes = b""
for pkt in pcap:
if Raw in pkt:
a = pkt[Raw]
if b"WRTE" == bytes(a)[:4]:
all_bytes += rm_data(bytes(a)[24:])
else:
all_bytes += rm_data(bytes(a))
print(all_bytes)

f = open('all_bytes.data', 'w+b')
f.write(all_bytes)
f.close()

WhiteIntel

WhiteIntel ni injini ya kutafuta inayotumiwa na dark-web ambayo inatoa kazi za bure kuangalia ikiwa kampuni au wateja wake wamekuwa compromised na stealer malwares.

Lengo lao kuu la WhiteIntel ni kupambana na utekaji wa akaunti na mashambulizi ya ransomware yanayotokana na malware inayopora taarifa.

Unaweza kuangalia tovuti yao na kujaribu injini yao kwa bure kwenye:

{% embed url="https://whiteintel.io" %}

{% hint style="success" %} Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki hila za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

{% endhint %}