WIRESHARK : World foremost and widely-used network protocol analyzer
Wireshark is an open-source tool and freely available used to analyze network packets. You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable.
WHAT IN THIS WRITE UP — — — ->> THIS WRITE UP I’M SHARING SOME WIRESHARK FILTERS
— — — →> AND TIPS TO USE WHEN SEARCHING FOR MALICIOUS ACTORS
— — — →> SEARCHING FOR MALICIOUS ACTIVITIES .
- CREATING PROFILES
2. ADDING GEOIP DATA TO FIND FROM WHERE TRAFFIC COMING FROM
3. FILTERS FOR DIFFERENT PURPOSE AND MANY MORE
- CREATING PROFILES
HERE IS PROFILE
IN BOTTOM RIGHT CORNER YOU CAN SEE THE “PROFILE” SECTION WHICH IS SET TO BE DEFAULT MOST PROBABLY
— >> RIGHT CLICK ON THAT YOU CAN SEE OPTION “nEW” CLICK ON IT
— >> NOW ADD ANY NAME TO THAT PROFILE AND CLICK OK
— >> NOW YOU CAN SEE YOUR NEW PROFILE .
MINE IS STUDENT WHAT’S YOURS
- ADDING GEOIP DATA TO FIND FROM WHERE TRAFFIC COMING FROM
SEARCH FOR https://www.maxmind.com/en/geoip2-country-database
MaxMind is a Massachusetts-based digital mapping company that provides location data for IP addresses.
STEPS :
FIRST DOWNLOAD GEOIP DATA FILE FROM GIVEN LINK ON YOUR COMPUTER
AFTER DOWNLOADING OPEN WIRESHARK
- ON TOP WIRESHARK HEADER → GO TO EDIT HEADER
- IN BOTTOM YOU CAN SEE PREFERENCES
- IN PREFERENCE GO TO NAME RESOLUTION AS SEEN IN SCREENSHOT
- SLIDE DOWN TO BOTTOM YOU CAN SEE MAXMIND DATABASE DIRECTORIES
- NOW IMPORT THAT DOWNLOADED GEOIP DATA
TO CHECK — -> GO TO LAYER AS SHOWN IN 2ND SCREENSHOT AND RIGHT CLICK ON IT APPLY AS COLUMN OPTION NOW FOR EXAMPLE SEARCH FOR HTTP TRAFFIC IN SEARCH BAR AND YOU CAN SEE THE GEO IP FROM WHICH COUNTRY IP BELONG IS SHOWN
YOU CAN SEE SOURCE GEOIP
- FILTERS FOR DIFFERENT PURPOSE AND MANY MORE
IN THIS SECTION I WILL SHARE FILTERS AND FOR WHICH PURPOSE THEY ARE USED.
Regular expression is used while searching for specific filter some basics
Or (for ex. A or b if anyone found show the result)
And ( a and b if both found only show result)
!= ( if a is not equal to b )
== (if a is equal to B )
EASY THINGS FIRST , IF YOU WANT TO SEARCH ANYTHING INSIDE PACKETS
FOR EX. I WANT TO SEARCH ALL SUCCESSFUL LOGIN ATTEMPTS I WILL SEARCH USING
— ->> frame contains “successful”
For specific protocol or specific ports whether tcp or udp
For ex. If you want to search all http traffic or icmp traffic
— ->> http or icmp
tcp.port == 80 (searching for http traffic )
udp.port == 53 (searching dns query using udp )
If you know some ip address and you want to search within network
For ex. I know some ip from threat actors so then i search with my network
— ->> ip.addr == 192.168.1.1
Now thats some easy filters and spoon feedings with examples now some flash ⚡ speed
If you don’t know much about wireshark because you think only using burp suite or some offensive tools you call yourself hacker waitt… I’m sorry god pardon him/her. Learn from youtube , practice on tryhackme, make write ups on medium .
most of time port shows tcp traffic we can use filter to see traffic from udp also
tcp.srcport or udp.srcport (for source ports)
tcp.dstport or udp.dstport (for destination ports)
We can also add host to find out what server we are communicating with
Search http filter ->> then select packet & go to http header where we can see host (right click on it click on apply as column )
Now you can new tab “host” which showing where your device communicating
To display protocol names instead of protocols number
In edit > preference >> tick the name resolution option which resolves mac address ,transport names, ip address.
To find what objects are coming/going within networks
We can export http objects (objects like png,exe,pdf,txt etc)
In file tab on top >> export objects >> http
— — — — —— —— — Unusual DNS activity — — — — — — — — — — —
So if we see large dns packet coming or going out it is malicious
dns.flags.response == 1 and ip.len > 500
They will try to communicate to external servers
dns.flags.response == 0 and !(ip.dest_host == <ip address here>)
— — — — — — — — — — -Unusual country codes — — — — — — — — — —
To find any connection communicating to a country where we don’t have business with .
ip.geoip.dst_country == “China”
— — — — — —— — — — Strange tcp behavior — — — — — — — — — —
We can check syn scans .syn can be used to query devices for open ports we can set filter to check how many syn packets came
tcp.flags.syn == 1 (to check syn packets)
tcp .flags.ack ==0 ( to check acknowledgment number that set to 0 )
tcp.flags.ack ==0 and tcp.flags.syn == 1 (to find strange behavior)
— >> Xmas scan <←-
In xmas scan all packets are shown ( fin, rst, syn, ack others )
tcp.flags.ack, tcp.flags.fin, tcp.flags.reset, tcp.flags.syn
We can use packet and prepare as filter for all xmas packet scans
— →> Filtering ssh packets <←-
tcp.port == 22
If we have visit of network engineer and he is working on we have to exclude its ip range so that it doesn’t get red flagged
tcp.port == 22 and ! (ip.src == 10.2.1.4/24)
— >> How to analyze traffic of non standards port <←-
go to statistics tab >> conversations >> ports
— ->> to analyze http methods like get , Post or others <←-
http.request.method == GET
http.request.method == POST
This will display all get or post data ….
— ->> Filtering for executables <←-
First look for traffic and find any host then right click on that packet and prepare as filter
http.request.uri == “/file.txt”
Or look for any file that is in txt format
http.request.uri matches “/*.txt” (* is for look any file that has .txt ,matches is regex avoid == )
However hackers are now more intelligent and they use other means or files format to download on machines because of Antivirus or firewall . we can use filter
http contains dos
- Dos is almost written in any executables content for example executables start with “ this file cannot run in dos”
- We can also check file if MZ is written in that executables (MZ means a binary file)
— — — — — — — — — Network and host discovery scans — — — — — — —
Threat actors first step is reconnaissance -> in active recon they scan for open ports, services running on that port, to find possible vulnerabilities.
Scans like ~arp scans, ~icmp ping sweeps, ~tcp syn to common ports , ~udp scans.
Arp is used to get machine mac address
arp.opcode == 1 for request (request came for arp)
arp.opcode == 0 for reply (the machine replies back)
— ->> To find any machine tries to show open ports
tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst == <ip> or we can replace ip.dst(destination ip) with ip.src (source ip)
— ->> To find out what ip address broadcasting to find mac of others
arp.opcode == 1 1 for request
2 for reply
— ->> If any device replied back to attacker
arp.opcode == 2
— ->> To find whether any ping reply given to attacker
icmp.type == 0
— — — — — — — — — — — OS fingerprinting — — — — — — — — — — —
- Pattern to watch
- Host to host traffic
- Unusual ttl patterns
- Duplicate sequence number in syn
- Strange flags tcp options
tcp null scan
tcp.flags == 0x000
— —— — — — — — — -HTTP enumeration — — — — — — — — — -
— ->> To find out user agent (like tools in packets use to scan ports for example gobuster)
http.user_agent contains gobuster
— >> searching for unusual port
!tcp.port in {443 1433 445 995 8000..8005}
— ->> To find nmap stealth scan (nmap tries to send small tcp windows size packet to reduce triggering of alert)
tcp.flags.syn == 1 and tcp.flags.ack == 0 and tcp.window_size <= 1024
— ->> Suspect geoip country
ip.geoip.country == Russia
— ->> If want to search using country code
ip.geoip.country_iso == CN
— ->> Strange dns
dns.qry.name matches “(us | mx | cr )”
— ->> To find out connections made to any foreign country for ex. china
ip.geoip.dst_country == “china”
— ->> To search for domain connecting using different country codes
dns.qry.name contains attackerwebsite (used regex contains == doesn’t display anything)
— ->> Search for outdated TLS/bad user agents
http.request.uri matches “ (tar|exe|zip|pdf|bin|php)”
— ->> To look for Ftp file transfer
ftp.request.command == “RETR”
— ->> Finding unencrypted strings
frame contains torrent
— ->> Looking for old tls versions
tls.handshake.extensions.supported_version in {0x0300 0x0301 0x0302}
— ->> To look for dns exfiltration
dns and ip.len > 200
What to look for data exfiltration
- Client sending more data than normal
- Lots of suspected dns/icmp message
- Outbound ftp
- Suspect smtp/smb/http/https
— ->> Filter for outbound syn/ack
tcp.flags.syn == 1 and tcp.flags.ack == 1 and (!ip.dst == 10.0.0.0/8) ( inset local ip range to find any global ip)
— ->> Filter to look for brute force attacks
frame contains admin ( as admin used most of time for username purpose so what attacker do they put admin in username and bruteforce password using password list )
— ->> Reverse shell behavior
tcp.port in { 1234 4444 1337 6001 } (most of script kiddies who learned from there favorite hacker use known port they used to gave walkthrough)
To look for reverse shell traffic
- Any outbound tcp syn from server
- Geoip location of target
- Ports like 4444, 1234, 5555, 1337 etc.
If you got attacked what are the indicators of compromise
- Suspect dns activity
- Scan activity
- Strange tcp ports
- Http activity (clear GET/POST traffic)
- Extractable http objects (upload to virustotal.com to check for file hash
If there is botnet attack what to look in
- Suspect http activity (Post, strange user agent, strange files)
- Suspect dns activity ( strange domain names)
- Unusual geoip location
- Command & control traffic
- Could become a spam bot (tcp port 25, 587 )
Some top things to always look for
- Tcp syn scan
- Unusual port numbers
- Geoip location to suspect country codes
- Domain calls including suspect countries
- Unencrypted web traffic/file transfer
- Outdated tls /bad user agents
- Large dns (or other) packets for sustained periods — data exfiltration
- Outbound syn/ack replies (syn came from outside network)
- Brute force password behavior (ftp, ssh, rdp, http)
- Reverse shell behavior
- Also look for https traffic decrypt tls session to get what’s going inside the traffic
Reference
Chris greer youtube channel
David bombal youtube channel
Pcap file from malware-traffic-analysis