Skip to content

Wireshark 101

This is a write-up of the TryHackMe room Wireshark 101

Task 1 Introduction

This task introuduced the fact that Wireshark is used for creating and analyzing PCAP files. PCAPs are network packet captures that list information about each packet intercepted by the capture tool.

No answer needed

Task 2 Installation

This task explained how to install Wireshark. It gives a link to Wireshark’s Website where you can download a copy of the installer.

No answer needed

Task 3 Wireshark Overview

This task explained the basics of Wireshark.

When opening wireshark you can select an interface to begin listening to network traffic moving across that interface.

Alternatively, to begin analyzing a pcap file already captured you can click File > Open or press CTRL+O.

To run a test, I clicked on the eth0 interface and then the blue fin icon to start.

Once Wireshark begin listening to eth0 I opened a terminal window and ran ping google.com -c 4 to create some test network traffic.

Wireshark has three sections it displays data in.

  1. Packet List Pane
  2. Packet Details Pane
  3. Packet Bytes Pane

The packet list pane is a list of all the packets in the current capture. The filter bar above this pane can be used to filter this list down based on different information such as:

  • packet number
  • time
  • source ip
  • destination ip
  • protocol
  • length
  • other info

The packet details pane contains information about the currently selected packet.

The packet bytes pane contains the actual packet information in hexadecimal and ASCII bytes. This is the information that would need to be encrypted in order to have network communication security.

No answer needed

Task 4 Collection Methods

Task 4 detailed several ways an attacker could get access to network traffic data to then analyze or record with Wireshark.

  • Network Taps
    • This method is similar to “man-in-the-middle” attacks in the way it intercepts traffic before forwarding it to the correct destination.
  • MAC Floods
    • Routers contain a table of MAC addresses called a CAM (Content Addressable Memory) table. If an attacker is able to fill this table by creating numerous MAC addresses on the fly, the router will get overwhelmed and start sending every message to every connected client. In this way, the attacker can get access to information they wouldn’t normally have access to.
  • ARP Poisoning
    • The Address Resolution Protocol (ARP) is uses by routers to connect a MAC address to an IP address. ARP poisoning takes advantage of this by convincing the router that the attacker’s MAC address should now connect to the target IP address. Once this is done, the router will begin sending packets intended for the target to the attacker instead.

These options are not an exhaustive list of methods to obtain network pcap information but something will be needed for Wireshark’s analysis capabilities to be useful.

Task 5 Filtering Captures

Once Wireshark has packet captures loaded they can be filtered down to assist with analysis. Some pcap files can contain many thousands of packets and finding useful information can be like looking for a needle in a haystack.

Comparison operators can be used in the filter bar. Wireshark only has a few that you will need to be familiar with:

  • and – operator: and / &&
  • or – operator: or / ||
  • equals – operator: eq / ==
  • not equal – operator: ne / !=
  • greater than – operator: gt>
  • less than – operator: lt / <

These operators are used on packet attributes such as ip.addr which refers to either IP address within the packet, source or destination. To specify which address, use ip.src or ip.dst respectively.

Other filters such as tcp.port and udp.port can be used to specify protocols and ports.

A cheatsheet of Wireshark filter options can be found at https://www.comparitech.com/net-admin/wireshark-cheat-sheet/.

No answer needed

Task 6 Packet Dissection

This task explained how the packet details pane breaks down the packet information by each layer of the OSI model.

  • Frame (Layer 1) — This will show you what frame / packet you are looking at as well as details specific to the Physical layer of the OSI model.
  • Source [MAC] (Layer 2) — This will show you the source and destination MAC Addresses; from the Data Link layer of the OSI model.
  • Source [IP] (Layer 3) — This will show you the source and destination IPv4 Addresses; from the Network layer of the OSI model.
  • Protocol (Layer 4) — This will show you details of the protocol used (UDP/TCP) along with source and destination ports; from the Transport layer of the OSI model.
  • Protocol Errors — This is a continuation of the 4th layer showing specific segments from TCP that needed to be reassembled.
  • Application Protocol (Layer 5) — This will show details specific to the protocol being used such HTTP, FTP, SMB, etc. From the Application layer of the OSI model.
  • Application Data — This is an extension of layer 5 that can show the application-specific data.
No answer needed

Task 7 ARP Traffic

This task specializes on ARP traffic. It gives a pcap file to download and load into Wireshark.

What is the Opcode for Packet 6?

I selected packet number 6, then selected Address Resolution Protocol (request) then found the Opcode: request (1) line.

request (1)

What is the source MAC Address of Packet 19?

To find the answer to this question I clicked packet no. 19, then clicked Ethernet II, then found the Source MAC address inside the dropdown.

80:fb:06:f0:45:d7

What 4 packets are Reply packets?

To find the four reply packets I needed to filter the list of packets down. To do this I discovered through googling how to filter by opcode. I discovered the filter arp.opcode==reply returned the packets I was looking for.

76,400,459,520

What IP Address is at 80:fb:06:f0:45:d7?

To find this IP address I used the filter eth.src==80:fb:06:f0:45:d7 and clicked on the packet going to the Broadcast destination. Inside the ARP dropdown in the packet details pane I found the Sender IP address.

10.251.23.1

Task 8 ICMP Traffic

This task specializes on ICMP (ping) traffic. It also provided a pcap file, different than the one from the last task.

What is the type for packet 4?

I clicked on packet no. 4 and opened the Internet Control Message Protocol dropdown arrow. This displayed the packet’s Type which was 8.

8

What is the type for packet 5?

Repeating the process for packet No. 5 gave me Type 0.

0

What is the timestamp for packet 12, only including month day and year?

note: Wireshark bases it’s time off of your devices time zone, if your answer is wrong try one day more or less. 

To find the date for packet no. 19 I clicked the packet, opened the Internet Control Message Protocol and found the timestamp.

May 30, 2013

What is the full data string for packet 18?

To find the answer, I clicked packet no. 18, then clicked the Internet Control Message Protocol dropdown, then found the Data attribute.

08090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637

Task 9 TCP Traffic

This task explained TCP traffic but did not have any questions to answer. It reminds us that the TCP protocol employs a validation handshake process known as the TCP 3-way handshake where a series of packets will be sent: syn, synack, then ack. There are also other “tcp flags” that can be used such as fin, rst, psh, and urg.

To find TCP information in a packet in Wireshark, first click on a packet in the packet list panel, then click the Transmission Control Protocol dropdown arrow. The Flags attribute will contain the TCP flag(s) in use.

Generally all TCP packets in a sequence will need to be considered together to fully understand the communication.

No answer needed

Task 10 DNS Traffic

Task 10 focuses on DNS traffic. It uses the same pcap file as the ICMP traffic lesson (Task 8).

What is being queried in packet 1?

To find the query for packet no. 1 I clicked packet 1 in the list, then clicked the dropdown for Domain Name System, then Queries. The Name attribute contained the value for the query.

8.8.8.8.in-addr.arpa

What site is being queried in packet 26?

Repeating the same actions above for packet 26 revealed the query: www.wireshark.org.

www.wireshark.org

What is the Transaction ID for packet 26?

In the same packet as the previous question I also found the transaction ID in the Domain Name System dropdown.

0x2c58

Task 11 HTTP Traffic

This task focused on http traffic and gave a new pcap file to analyze.

What percent of packets originate from Domain Name System?

To find the % of packets that originate from DNS, I clicked Statistics > Protocol Hierarchy. The window that opened up contained the answer.

4.7

What endpoint ends in .237?

To get to the endpoint information I clicked Statistics > Endpoints then found the IP address 145.254.160.237 that answered the question.

145.254.160.237

What is the user-agent listed in packet 4?

To find the user-agent I clicked packet 4, then in the Hypertext Transfer protocol dropdown I found the User-Agent attribute.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\r\n

Looking at the data stream what is the full request URI from packet 18?

I clicked on packet 18, then in the Hypertext Transfer Protocol dropdown I found the Full request URI.

https://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633

What domain name was requested from packet 38?

I found the domain name requested in packet 38 by doing the same steps as above to get to the Full request URI.

www.ethereal.com

Looking at the data stream what is the full request URI from packet 38?

The full URI from the packet above is

http://www.ethereal.com/download.html

Task 12 HTTPS Traffic

In this task we took a look at the https in a pcap.

I first went to packet 31 in the pcap file but found the data was encrypted. In the download zip file for this task I was given an RSA key. To load the key I clicked Edit > Preferences > Protocols > TLS > + to add a new line. For IP address I put the loopback address 127.0.0.1, port start_tls, protocol http, and added the key from the file location.

Performing the above steps decrypted the https information in the pcap. Now when I look at packet 31 I see a Hypertext Transfer Protocol dropdown that did not exist before.

Looking at the data stream what is the full request URI for packet 31?

https://localhost/icons/apache_pb.png

Looking at the data stream what is the full request URI for packet 50?

https://localhost/icons/back.gif

What is the User-Agent listed in packet 50?

Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2\r\n

Task 13 Analyzing Exploit PCAPs

This task provided a pcap of network traffic that includes an exploit.

The first thing to notice in this file is the unknown protocols that all come from IP 192.168.100.128. I then added a filter to narrow down to only packets that came from this address using ip.src==192.168.100.128.

Further down the filtered list I found several packets using SMB2.

No answer needed

Leave a Reply

Your email address will not be published. Required fields are marked *