Wireshark fits nicely in any toolbox of the network forensic analyst and ethical hacker. From hundreds of dissectors that decode the protocol and application fields, to the customization capability that enables you to find that one item of interest in a sea of packets, Wireshark gives you all the necessary insights into traffic. “Wireshark for Hackers” will be a two-part series (5 hacks each) where we will attempt to turn your crawl into a walk… and maybe even a little swagger.
In Part I, we will start with some less-sexy baseline and passive discovery hacks with Wireshark. They’re necessary skills, but they won’t be included in a top-ranked film anytime soon. We will then detect unsecured and suspicious traffic on the network and later reassemble some of the suspect traffic elements. Then stay tuned for Part II next month, where we’ll force Wireshark to properly dissect traffic that is using a non-standard port number and add some columns to speed up the detection of a malicious HTTP redirection. We will finish up by decrypting TLS traffic and creating a trace file that contains an embedded TLS session key.
EH-Net Live! Aug: Join Laura Chappell for “Wireshark for Hackers“ on Thurs Aug 29 @ 1:00 EDT.
NOTE: Trace files referenced in this article can be downloaded from my online trace file library. Visit https://www.chappell-university.com/traces for instructions to access the Chappell University Trace File Library.
There’s a lot that Wireshark can do for the ethical hacker, so let’s get started on the first 5!
Hack #1: Baseline Your Traffic
No, it’s not very sexy, but baselining is a necessary skill for any network analyst.
Baselining is the process of capturing and identifying the “normal” traffic on a network. This traffic may include the auto-update applications on a network, a myriad of broadcast and multicast traffic streams, auto-detect applications scrounging around the network unnecessarily, and more.
Baselining is done through a passive discovery process — capture the traffic on your network and start picking it apart while identifying the hosts and applications running on a network.
Here’s a sample baseline procedure to try.
- On your home network, shut down all applications except background applications (such as your virus detection tool).
- Launch Wireshark on your laptop and capture all traffic to and from that same laptop.
- Do not touch the keyboard for 1 hour while letting Wireshark run on the laptop. (I know it’s tempting to just touch that keyboard to look at email, toggle screens, or something else, but DON’T do it – resist the urge!).
- After the hour is up, stop Wireshark and look through your traffic.
Enabling name resolution might help identify some of the traffic. Select Edit | Preferences | Name Resolution and enable Resolve network (IP) addresses.
During your baselining process, you may be surprised to see how many background applications are communicating on the network. There’s never a dull moment, eh? On my system, I see DropBox, McAfee, Citrix (GoToMyPC), Microsoft traffic, and more.
What communications should be baselined? The answer will be different for each network out there, but there are some common items I would recommend that you baseline.
- Client boot-up process
- Login processes
- Critical application launch
- Critical application termination
- Shutdown process
Hack #2: Perform Passive Discovery
Passive discovery is the process of building a map of the network based on what you hear while listening to the traffic. From the Statistics menu, Wireshark can provide a list of visible hosts, conversations (pairs of hosts communicating with each other), resolved addresses, port numbers, and more.
Try this out – open skills-passivediscovery4.pcapng and sketch out a map of the network devices and services based only on the traffic seen in the trace file.
- Consider selecting Statistics | Conversations to see which addresses and port numbers are active in the trace file.
- Pay attention to the ARP traffic to map local IP addresses to hardware addresses. You can apply an arp display filter, if desired.
- Check out the DNS traffic to map other hosts to IP addresses. You can apply a dns display filter, if desired.
- Look at the Host field inside the HTTP GET request to obtain the name of the target server.
- Examine the User-Agent field inside that same HTTP GET request to determine what operating system is running on the client.
- Examine the Server field in the HTTP response packet to identify the web server software running on the server.
If we look at the example trace file, skill-passivediscovery4.pcapng, we can build a picture of the network (see below).
TIP: If you are capturing on a local host and you want to ensure you are not visible in the trace file and to other devices on the network, disable the TCP/IP stack on your local system. Wireshark does not require a working TCP/IP stack in order to capture traffic. Disabling your TCP/IP stack prevents your system from transmitting anything (such as DHCP Discover packets and ARP broadcasts) onto the network.
Hack #3: Detect Unsecured Applications
This is something you will want to catch before someone else does.
Consider your email traffic running through the network. What would you do if you learned that email traffic was unencrypted and anyone with access to a packet capture tool and the network path upon which that traffic travels could intercept and read that email?
I don’t care what the vendor tells you about the security of their product’s network communications – take a trace of the traffic to verify the setup of an encrypted connection before data transfer.
If you can see login names, passwords, commands, response codes, directory names, or file names, the application is sending unsecured traffic.
I’ve had customers state that all their traffic is encrypted and secure, only to find out that I could read payroll data crossing the network. Test the security of your network traffic by capturing the traffic before someone else does.
To see this type of traffic, download any of my ftp-*.pcapng files from the Chappell University Trace File Library.
Hack #4: Detect Suspicious Protocols and Applications
Wireshark’s Protocol Hierarchy window can be used during the baselining process and during network forensic investigations. The Protocol Hierarchy statistic indicates which Wireshark dissectors were applied to the traffic.
This is the first statistic to check out when you suspect a compromised host on the network. Look for two items in particular:
- Unusual protocols or applications: For example, if you see Internet Relay Chat in the Protocol Hierarchy window, you may want to right click and filter on that traffic to see what’s going on in that communication.
- “Data” directly under IP, UDP, or TCP: This indicates that Wireshark did not apply a dissector to the application traffic. This could indicate that an application may be using a non-standard port number.
In the image above, we can see the “Data” item directly under TCP. What application is in use? Wireshark doesn’t know. This traffic runs over the client ephemeral port number 1048 to a server port 18067. What application is registered to use TCP port 18067? IANA’s Service Name and Transport Protocol Port Number Registry doesn’t list any application that has registered that port number. To find out what is using this port number, we’ll use reassembly (continue to the next item).
Hack #5: Reassembly (Follow Streams)
People who love Wireshark, love Wireshark’s Follow Stream feature! When you follow a stream, Wireshark removes the data link header, network header, and transport header from view and shows you application-layer communications. This enables you to quickly view the commands and responses in a communication.
You can follow four types of streams at this time:
- TCP streams (self-explanatory)
- UDP streams (self-explanatory)
- TLS streams (use after decryption of the traffic)
- HTTP streams (use on gzipped HTTP traffic)
Let’s right click on our sec-sickclient.pcapng undissected traffic and select Follow | TCP stream. We can see that this traffic on port 18067 is Internet Relay Chat (IRC) traffic.
These first 5 hacks should get you from crawling to walking. However, we’ve really only scratched the surface of the many ways that we can use Wireshark for hackers to understand and analyze networks. As time goes on, additional features and functionality will only make it easier to perform troubleshooting and network forensic investigations on networks.
We sincerely hope that you didn’t just read the contents of “Top 10 Uses of Wireshark for Hackers Part I”, but that will you will also play along. After all, the only true way to learn something is to do it. So take some time to actually perform each hack in this article. It is also highly recommended that while doing each hack to also play around with the settings, use other trace files or create your own. Once you have the basics down, you’ll definitely be prepared for Part II next month.
Until then… get ready for the swagger!
Laura Chappell is the Founder of Protocol Analysis Institute, Inc., Founder of Chappell University, and the creator of the WCNA Certification program (formerly known as the Wireshark Certified Network Analyst certification program). Laura teaches Wireshark courses online and offers on-demand training through the All Access Pass (www.chappell.talentlms.com).
Since 1991, Laura has been living, eating, and breathing in the packet-level world. Besides being the author of numerous best-selling books on network analysis, troubleshooting, and network forensics, Laura is hailed as a top-notch, entertaining presenter who can detail the most effective methods to locate network issues.
Laura Chappell can be reached via www.chappell-university.com, www.wcnacertification.com, and on Twitter, LinkedIn, and Facebook. Get the latest information on Laura’s research, writing, and presentations by signing up for her “In Laura’s Lab” Newsletter at www.chappell-university.com.chappell highlight network tools tutorial wireshark