Ten tings you did not know about wireshark.

Wireshark fits nicely in any toolbox of the network forensic analyst and ethical hacker. From hundreds of dissectors that decode the protocol and application fields, to the customization capability that enables you to find that one item of interest in a sea of packets, Wireshark gives you all the necessary insights into traffic. “Wireshark for Hackers” will be a two-part series (5 hacks each) where we will attempt to turn your crawl into a walk… and maybe even a little swagger.

In Part I, we will start with some less-sexy baseline and passive discovery hacks with Wireshark. They’re necessary skills, but they won’t be included in a top-ranked film anytime soon. We will then detect unsecured and suspicious traffic on the network and later reassemble some of the suspect traffic elements. Then stay tuned for Part II next month, where we’ll force Wireshark to properly dissect traffic that is using a non-standard port number and add some columns to speed up the detection of a malicious HTTP redirection. We will finish up by decrypting TLS traffic and creating a trace file that contains an embedded TLS session key.

___________________________________________________________________________________

There’s a lot that Wireshark can do for the ethical hacker, so let’s get started on the first 5!

Hack #1: Baseline Your Traffic

No, it’s not very sexy, but baselining is a necessary skill for any network analyst.

Baselining is the process of capturing and identifying the “normal” traffic on a network. This traffic may include the auto-update applications on a network, a myriad of broadcast and multicast traffic streams, auto-detect applications scrounging around the network unnecessarily, and more.

Baselining is done through a passive discovery process — capture the traffic on your network and start picking it apart while identifying the hosts and applications running on a network.

Here’s a sample baseline procedure to try.

1. On your home network, shut down all applications except background applications (such as your virus detection tool).
2. Launch Wireshark on your laptop and capture all traffic to and from that same laptop.
3. Do not touch the keyboard for 1 hour while letting Wireshark run on the laptop. (I know it’s tempting to just touch that keyboard to look at email, toggle screens, or something else, but DON’T do it – resist the urge!).
4. After the hour is up, stop Wireshark and look through your traffic.

Enabling name resolution might help identify some of the traffic. Select Edit | Preferences | Name Resolution and enable Resolve network (IP) addresses.

2. Pay attention to the ARP traffic to map local IP addresses to hardware addresses. You can apply an arp display filter, if desired.
3. Check out the DNS traffic to map other hosts to IP addresses. You can apply a dns display filter, if desired.
4. Look at the Host field inside the HTTP GET request to obtain the name of the target server.
5. Examine the User-Agent field inside that same HTTP GET request to determine what operating system is running on the client.
6. Examine the Server field in the HTTP response packet to identify the web server software running on the server.

TIP: If you are capturing on a local host and you want to ensure you are not visible in the trace file and to other devices on the network, disable the TCP/IP stack on your local system. Wireshark does not require a working TCP/IP stack in order to capture traffic. Disabling your TCP/IP stack prevents your system from transmitting anything (such as DHCP Discover packets and ARP broadcasts) onto the network.

___________________________________________________________________________________

Vunl. #5: Reassembly (Follow Streams)

People who love Wireshark, love Wireshark’s Follow Stream feature! When you follow a stream, Wireshark removes the data link header, network header, and transport header from view and shows you application-layer communications. This enables you to quickly view the commands and responses in a communication.

You can follow four types of streams at this time:

1. TCP streams (self-explanatory)
2. UDP streams (self-explanatory)
3. TLS streams (use after decryption of the traffic)
4. HTTP streams (use on gzipped HTTP traffic)

Let’s right click on our sec-sickclient.pcapng undissected traffic and select Follow | TCP stream. We can see that this traffic on port 18067 is Internet Relay Chat (IRC) traffic.

                                                                 Follow | TCP stream

TTFN

These first 5 hacks should get you from crawling to walking. However, we’ve really only scratched the surface of the many ways that we can use Wireshark for hackers to understand and analyze networks. As time goes on, additional features and functionality will only make it easier to perform troubleshooting and network forensic investigations on networks.

We sincerely hope that you didn’t just read the contents of “Top 10 Uses of Wireshark for Hackers Part I”, but that will you will also play along. After all, the only true way to learn something is to do it. So take some time to actually perform each hack in this article. It is also highly recommended that while doing each hack to also play around with the settings, use other trace files or create your own. Once you have the basics down, you’ll definitely be prepared for Part II next month.

Until then… get ready for the swagger!

_________________________________________________________________________________