Professional Documents
Culture Documents
Wireshark Basics 1707815378
Wireshark Basics 1707815378
414C504F
29/01/2019 1
Contents
29/01/2019 2
Wireshark
29/01/2019 3
Data packets capturing
To start capturing
• Select a network interface
• Click on the blue shark fin
button / press Ctrl + E
29/01/2019 4
Data packets capturing
29/01/2019 5
Data packets capturing
Top frame:
Number | Time | Source | Destination | Protocol | Length | Info
Bottom frame:
Data
29/01/2019 6
Data packets capturing
Top frame:
Number | Time | Source | Destination | Protocol | Length | Info
Bottom frame:
Data
29/01/2019 7
Data packets capturing
Top frame:
Number | Time | Source | Destination | Protocol | Length | Info
Bottom frame:
Data
29/01/2019 8
Data packets capturing
Top frame:
Number | Time | Source | Destination | Protocol | Length | Info
Bottom frame:
Data
29/01/2019 9
Wireshark Filters
29/01/2019 10
Wireshark Filters
29/01/2019 11
Wireshark Filters Relations
English C-like Description and example
eq == Equal. ip.src==10.0.0.5
ne != Not equal. ip.src!=10.0.0.5
gt > Greater than. frame.len > 10
lt < Less than. frame.len < 128
ge >= Greater than or equal to. frame.len ge 0x100
le <= Less than or equal to. frame.len ⇐ 0x20
contains Protocol, field or slice contains a value. sip.To contains
"a1762"
matches ~ Protocol or text field match Perl regualar expression.
http.host matches "acme\.(org|com|net)"
bitwise_and & Compare bit field value. tcp.flags & 0x02
29/01/2019 12
Source: https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
Wireshark Combining Expressions
English C-like Description and example
and && Logical AND. ip.src==10.0.0.5 and tcp.flags.fin
or || Logical OR. ip.scr==10.0.0.5 or ip.src==192.1.1.1
xor ^^ Logical XOR. tr.dst[0:3] == 0.6.29 xor tr.src[0:3] ==
0.6.29
not ! Logical NOT. not llc
[…] Slice Operator. eth.addr[0:3]==00:06:5B
in Membership Operator. tcp.port in {80 443 8080}
29/01/2019 13
Source: https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html
https://wiki.wireshark.org/DisplayFilters
Most common Wireshark filters
tcp.port eq 80
tcp.srcport==443
29/01/2019 14
Most common Wireshark filters
IP addresses:
ip.addr == 10.43.54.65
! ( ip.addr == 10.43.54.65 )
29/01/2019 15
Most common Wireshark filters
29/01/2019 16
Wireshark filters logic
29/01/2019 17
Follow the stream
29/01/2019 18
What if I told you…
That you can search for strings in packets using Edit >
Find Packet... (Ctrl+F)
29/01/2019 19
Contents
29/01/2019 20
SSL ManInTheMiddle with Wireshark
29/01/2019 21
Create certificates
29/01/2019 22
Start a server
29/01/2019 23
Start a server
29/01/2019 24
Send a request with python(3) and stop
the capture
import urllib.request
import ssl
context = ssl._create_unverified_context()
with
urllib.request.urlopen("https://localhost:4443/",
context=context) as url:
s = url.read()
print(s)
29/01/2019 25
Traffic captured
29/01/2019 26
Configure wireshark
29/01/2019 27
Configure wireshark
29/01/2019 28
Configure wireshark
29/01/2019 29
Configure wireshark
29/01/2019 30
Enjoy the decryption
29/01/2019 31
Enjoy the decryption (proof)
29/01/2019 32
SSL ManInTheMiddle (the easy way)
https://jimshaver.net/2015/02/11/decrypting-tls-
browser-traffic-with-wireshark-the-easy-way/
29/01/2019 33
Bedtime stories
https://wiki.wireshark.org/SSL
https://www.cellstream.com/reference-
reading/tipsandtricks/354-wireshark-ssltls-decryption
29/01/2019 34
Contents
29/01/2019 35
Data packets capturing
To start capturing
• Select the WLAN network
interface
• Click on the blue shark fin
button / press Ctrl + E
29/01/2019 36
Example: Establishing a WLAN connection
29/01/2019 37
Example: HTTP/HTTPS traffic capture on wlan0
interface
29/01/2019 38
Decrypt traffic with a known key
29/01/2019 39
Decrypt with known key
29/01/2019 40
Further reading
Aircrack-ng
https://www.aircrack-ng.org/
https://tools.kali.org/wireless-attacks/aircrack-ng
EAPOL
https://security.stackexchange.com/questions/66008
/how-exactly-does-4-way-handshake-cracking-work
29/01/2019 41
Wireshark Advanced
414C504F
29/01/2019 42
Contents
29/01/2019 43
Wireshark dissectors
Can be implemented
• In Lua language
• In C language
29/01/2019 44
Wireshark Lua dissectors
29/01/2019 45
Wireshark Lua dissectors
dofile("path/to/file.lua")
29/01/2019 46
Wireshark Lua dissectors
dofile("path/to/file.lua")
29/01/2019 47
Wireshark Lua dissectors
dofile("path/to/file.lua")
29/01/2019 48
Lua basics
29/01/2019 49
Lua basics
• -- means comment
• Not equal in conditionals is ~=
• Loops: while, repeat until (similar to a do while
loop), for (numeric), for (generic).
• Use i = i + 1 instead of ++ or +=
• nil for null
29/01/2019 50
Lua basics
• Function example
function add(x, y)
return x + y
end
local splash = TextWindow.new(add(3,6));
29/01/2019 51
Lua basics
• Function example
function add(x, y)
return x + y
end
local splash = TextWindow.new(add(3,6));
29/01/2019 52
Lua basics (function example #2)
29/01/2019 53
Credits: https://en.wikipedia.org/wiki/Lua_(programming_language)
Lua basics (function example #2)
29/01/2019 54
Credits: https://en.wikipedia.org/wiki/Lua_(programming_language)
Editing columns example
29/01/2019 55
Source: https://wiki.wireshark.org/Lua/Examples
Editing columns example (before lua)
29/01/2019 56
Source: https://wiki.wireshark.org/Lua/Examples
Editing columns example (after execution)
Note: will only work at Wireshark’s start (save the script in the Plugins
folder before)
29/01/2019 57
Editing trees example
29/01/2019 58
Source: https://wiki.wireshark.org/LuaAPI/TreeItem
Editing trees example
29/01/2019 59
Source: https://wiki.wireshark.org/LuaAPI/TreeItem
Editing trees example
29/01/2019 60
Editing trees example
29/01/2019 61
HTTP Example
Add a function
• e.g. addition of 2 values
• output the result in a tree field
29/01/2019 62
HTTP Example
29/01/2019 63
HTTP Example
29/01/2019 64
Exercise
29/01/2019 65
Exercise
29/01/2019 67
Exercise (solution)
29/01/2019 68
Exercise (solution)
29/01/2019 69
Exercise (solution, proof)
• Decode as a proof
t:set_text(
from_base64(to_base64(tostring(buf()))) )
29/01/2019 70
Exercise (solution)
• Decode as a proof
t:set_text(
from_base64(to_base64(tostring(buf()))) )
29/01/2019 71
What’s next?
29/01/2019 72
What’s next?
29/01/2019 73
What’s next?
Modify/resend packets?
29/01/2019 74
Questions/Feedback?
E-mail: 414C504F@tuta.io
Github: https://github.com/414C504F
29/01/2019 75
Thanks!
29/01/2019 76