search
The Hacker's Notes
githubEdit

Wireshark Cheat Sheet

Network protocol analyzer. It uses the pcapng file format.

hashtag
Start

wireshark

# Open with .pcapng file
wireshark example.pcapng

hashtag
Settings

hashtag
Datetime Format When Packets Sent

Select “View → Time Display Format → Date and Time of Day”.

hashtag
Filters

Enter the following text in a filtering form.

hashtag
Datetime

frame.time >= "Jan 2, 2023 08:00:00" && frame.time <= "Jan 5, 2023 08:00:00"

hashtag
DNS

dns
udp.port == 53

# Record type
dns.qry.type == 1   # A record
dns.qry.type == 2   # NS record
dns.qry.type == 5   # CNAME record
dns.qry.type == 6   # SOA record
dns.qry.type == 15  # MX record
dns.qry.type == 16  # TXT record
dns.qry.type == 28  # AAAA record
dns.qry.type == 252 # AXFR

# Query name
dns.qry.name matches "example.com"

# Reponse
dns.flags.response == 0 # No response

hashtag
FTP

hashtag
HTTP & HTTPS

hashtag
ICMP

hashtag
IP Address

hashtag
Kerberos (KRB4, KRB5)

hashtag
SMB

hashtag
SMTP

hashtag
SSH

hashtag
Search Packets by Strings

We can find sensitive information in packets by searching strings in the filter bar:

Note that it’s case sensitive .

hashtag
Detailed Information

  1. Right click on the row item.

  2. Select Follow -> TCP Stream. Another window opens.

  3. Find information by clicking the arrow on the right of "Stream *".

hashtag
More Information

  • Analyze -> Expert Information

    Read the expert information.

  • Statistics -> Capture File Properties

    Read the capture file comments.

  • Statistics → Conversations

    List IP conversations. We can find IP addresses involved in the traffic.

  • Statistics → Protocol Hierarchy

    Show usage of ports and services.

  • View -> Name Resolution

    Resolve IP addresses.

hashtag
Data Exfiltration via DNS

  1. Enter "dns" in filter form

  2. If you found a domain such as follow, you may be able to retrieve threats.

  3. For example, decode "936...".

hashtag
Data Exfiltration via HTTP

  1. Open File -> Export Objects -> HTTP... .

  2. Click "Save all".

  3. Analyze steganographic files using tools like steghide.

hashtag
Extract Images

If a .pcapng file contains file data such as image, we can extract it by the following Linux command:

hashtag
WiFi Handshakes

When importing pcap file, then if we found the capture file is about WiFi handshakes, we can crack the WiFi password using this file.

hashtag
Decrypting SSL/TLS Traffic

To retrieve data from TLS communications, we need to import the certificates (private key) into the WireShark at first. To find the certificates, the following commands may be useful in the server:

After getting the private key (e.g. ssl_private.key), we can import it in the WireShark as below:

  1. In WireShark, go to the EditPreferencesProtocolsTLS.

  2. Click the RSA key list Edit... and fill each field (Ip address, Port, Protocol). The Protocol field value must be tcp. Then specify our found private key in the Key File. Click OK.

  3. Fill TLS debug fild with arbitrary file name. Click OK.

Now we can observe TLS communication as HTTP.

hashtag
Decrypt Kerberos Cipher Data

Seeing packet details for the Kerberos packet, we may see the encrypted data and the CNAME string as such below:

We may be able to decrypt the cipher value by cracking it.

Copy the cipher value (e.g. abcdef01234…) and concatenate with the krb format (e.g. $krb...) as below.

The format is something like:

So make the formatted string and crack the hash using hashcat:

hashtag
Crack WiFi Password

In Wireshark, go to FileSave As... and save the traffic as .pcap file. Then check the target network using aircrack-ng as below:

If the network found, crack the password:

After cracking, we can set it to the WireShark preference.

  1. In WireShark, go to EditPreferencesProtocolsIEEE 802.11. And click on the Edit of Decryption Keys.

  2. Select wpa-pwd for the Key type and fill the password for the Key.

PreviousRandomNextTshark Cheat Sheet

Last updated