# Wireshark Cheat Sheet Network protocol analyzer. It uses the pcapng file format. ### Start ```shellscript wireshark # Open with .pcapng file wireshark example.pcapng ``` ### Settings #### Datetime Format When Packets Sent Select “View → Time Display Format → Date and Time of Day”. ### Filters Enter the following text in a filtering form. #### Datetime ```shellscript frame.time >= "Jan 2, 2023 08:00:00" && frame.time <= "Jan 5, 2023 08:00:00" ``` #### DNS ```shellscript dns udp.port == 53 # Record type dns.qry.type == 1 # A record dns.qry.type == 2 # NS record dns.qry.type == 5 # CNAME record dns.qry.type == 6 # SOA record dns.qry.type == 15 # MX record dns.qry.type == 16 # TXT record dns.qry.type == 28 # AAAA record dns.qry.type == 252 # AXFR # Query name dns.qry.name matches "example.com" # Reponse dns.flags.response == 0 # No response ``` #### FTP ```shellscript ftp ftp-data ``` #### HTTP & HTTPS ```shellscript # HTTP http tcp.port == 80 # HTTPS ssl tcp.port == 443 tcp.port == 80 || tcp.port == 443 # Methods http.request.method == GET http.request.method == POST # Domains http.host matches "example.com" http.host == "example.com" ``` #### ICMP ```shellscript icmp ``` #### IP Address ```shellscript ip.addr == 10.0.0.1 ip.addr != 10.0.0.2 ip.addr == 10.0.0.1 && ip.addr == 10.0.0.2 ip.src == 10.0.0.1 ip.dst == 10.0.0.2 ip.src == 10.0.0.1 && ip.dst != 10.0.0.0/24 ``` #### Kerberos (KRB4, KRB5) ```shellscript kerberos krb4 ``` #### SMB ```shellscript smb smb2 ``` #### SMTP ```shellscript smtp smtp.req.parameter contains "FROM" ``` #### SSH ```shellscript ssh tcp.port == 22 ``` ### Search Packets by Strings We can find sensitive information in packets by searching strings in the filter bar: ```shellscript frame contains "password" frame contains "Password" ``` Note that it’s **case sensitive** . ### Detailed Information 1. Right click on the row item. 2. Select **Follow -> TCP Stream**. Another window opens. 3. Find information by clicking the arrow on the right of **"Stream \*"**. ### More Information * **Analyze -> Expert Information** Read the expert information. * **Statistics -> Capture File Properties** Read the capture file comments. * **Statistics → Conversations** List IP conversations. We can find IP addresses involved in the traffic. * **Statistics → Protocol Hierarchy** Show usage of ports and services. * **View -> Name Resolution** Resolve IP addresses. ### Data Exfiltration via DNS 1. Enter **"dns"** in filter form 2. If you found a domain such as follow, you may be able to retrieve threats. ``` 93616e64792043...2038343931.vulnerable.com ``` 3. For example, decode "936...". ### Data Exfiltration via HTTP 1. Open **File -> Export Objects -> HTTP...** . 2. Click **"Save all"**. 3. Analyze steganographic files using tools like steghide. ### Extract Images If a `.pcapng` file contains file data such as image, we can extract it by the following Linux command: ```shellscript foremost -i example.pcapng -o output ``` ### WiFi Handshakes When importing pcap file, then if we found the capture file is about WiFi handshakes, we can crack the WiFi password using this file. ```shellscript aircrack-ng example.pcap -w wordlist.txt ``` ### Decrypting SSL/TLS Traffic To retrieve data from TLS communications, we need to import the certificates (private key) into the WireShark at first. To find the certificates, the following commands may be useful in the server: ```shellscript find / -name "*.key" 2>/dev/null find /etc/apache2/ -name "*.key" 2>/dev/null find /etc/nginx/ -name "*.key" 2>/dev/null ``` After getting the private key (e.g. `ssl_private.key`), we can import it in the WireShark as below: 1. In WireShark, go to the `Edit` → `Preferences` → `Protocols` → `TLS`. 2. Click the `RSA key list Edit...` and fill each field (Ip address, Port, Protocol). The Protocol field value must be `tcp`. Then specify our found private key in the Key File. Click OK. 3. Fill `TLS debug fild` with arbitrary file name. Click OK. Now we can observe TLS communication as `HTTP`. ### Decrypt Kerberos Cipher Data Seeing packet details for the Kerberos packet, we may see the encrypted data and the CNAME string as such below: ```shellscript Kerberos: ... etype: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) cipher: abcdef01234... ... cname cname-string: CNameString: example realm: EXAMPLE.LOCAL ``` We may be able to decrypt the `cipher` value by cracking it. Copy the `cipher` value (e.g. `abcdef01234…`) and concatenate with the `krb` format (e.g. `$krb...`) as below. The format is something like: ```shellscript $krb5pa$[etype_number]$[cname]$[realm]$[cipher] ``` So make the formatted string and crack the hash using hashcat: ```shellscript # Kerberos 5, etype 17, Pre-Auth echo -n '$krb5pa$17$example$EXAMPLE.LOCAL$abcdef01234..' > hash.txt hashcat -m 19800 hash.txt wordlist.txt # Kerberos 5, etype 18, Pre-Auth echo -n '$krb5pa$18$example$EXAMPLE.LOCAL$abcdef01234...' > hash.txt hashcat -m 19900 hash.txt wordlist.txt ``` ### Crack WiFi Password In Wireshark, go to `File` → `Save As...` and save the traffic as `.pcap` file. Then check the target network using `aircrack-ng` as below: ```shellscript aircrack-ng example.pcap ``` If the network found, crack the password: ```shellscript aircrack-ng example.pcap -w wordlist.txt ``` After cracking, we can set it to the WireShark preference. 1. In WireShark, go to `Edit` → `Preferences` → `Protocols` → `IEEE 802.11`. And click on the `Edit` of `Decryption Keys`. 2. Select `wpa-pwd` for the `Key type` and fill the password for the `Key`.