In a world… OK, just kidding. This isn’t a movie trailer. However, the ever-increasing sophistication of attacks on our networks is no joking matter. To bypass firewalls, IDS/IPS, EPS, DLP and a plethora of solutions aimed at stemming the tide, criminal hackers are upping their game regularly. It’s up to us in the ethical hacking world to keep up both in understanding their attacks from an offensive perspective (red team) but also how to then find them for future prevention from the defensive side (blue team). In the end, all of the evidence is right there in the packets somewhere. You just need the advanced skills to help you and your team become the movie stars of your organization. Good thing we have the best tool in Wireshark for the job, and extensive research and experience on that tool to show you the Top 10 Uses of Wireshark.
In Top 10 Uses of Wireshark for Hackers Part I, we started with a crawl by creating a baseline and some passive discovery hacks. We then detected suspicious traffic on the network and later reassembled the traffic elements to pick out some particularly interesting content. Here in Part II, we force Wireshark to properly dissect traffic that is using a non-standard port number and add some columns to speed up the detection of a malicious HTTP redirection. We will finish up by decrypting TLS traffic and creating a trace file that contains an embedded TLS session key for easing interactions with other team members. It’s time to get your advanced Wireshark skills a kick in the pants with 5 more hands-on hacks. Are you ready for some network forensics swagger?
EH-Net Live! Aug: Join Laura Chappell for “Wireshark for Hackers“ on Thurs Aug 29 @ 1:00 EDT.
NOTE: Trace files referenced in this article can be downloaded from my online trace file library. Visit https://www.chappell-university.com/traces for instructions to access the Chappell University Trace File Library.
So let’s take what we learned about what Wireshark can do for the ethical hacker from Part I and dive into the next 5 hacks!
Hack #6: Force a Dissector
When you “follow stream” in Wireshark, a display filter for that one conversation is applied and visible in the Display Filter toolbar. In our sec-sickclient.pcapng example, we followed the traffic to and from port 18067. When we right-clicked and selected Follow | TCP stream, Wireshark applied a tcp.stream eq 1 filter.
We used reassembly to determine that this port 18067 traffic is actually IRC traffic. Wireshark didn’t apply the IRC dissector to this traffic, because port 18067 is not assigned to IRC traffic. If the IRC traffic ran over TCP port 6667, Wireshark would have applied its IRC dissector to the traffic automatically.
When we see traffic running over a non-standard port number, we can force a Wireshark dissector to be applied to that traffic. Right-click on a packet in the Packet List pane and select Decode As…
Within the pop-up window, ensure the TCP port 18067 is listed. That’s the port on which we will force the IRC dissector. In the Current column, select IRC and then click OK.
Once the dissector is applied to the traffic on port 18067, the Info column shows the Request and Response details.
TIP: To save this dissector setting, click Save in the Decode As… window. This will save the setting in a decode_as_entries file within the profile in which you are working.
Hack #7: Easily Detect HTTP Redirects with Columns
We’ve all been redirected at some point in our internet-browsing-happy days! You type in [website1].com and end up at [website99].com. In most cases, this redirection process is not malicious and is transparent to us.
In some cases, however, the redirection is malicious. Let’s look at one such redirection in the trace file wwb001-skyhigh.pcapng.
In this trace file, a user performed a search for “tahoe weather forecast” (see frames 85-150). When the user clicked on one of the results listed, DNS resolved the address for weathermaps006.ga (see frames 241-259).
Note the GET request in frame 264. The client wants to get the default page in the radar directory. The redirection is seen in frame 270. Right click on the Host field and select Apply as Column.
Note that Wireshark links requests and responses at the end of the HTTP section of the frames. You can double-click on the hyperlink to quickly jump to the response in frame 270.
Frame 270 contains the 302 Moved Temporarily response. Right-click on the Location field in this frame and select Apply as Column.
Adding select fields as columns enables you to interpret the packets without delving into the packet contents. The information of interest is in the Packet List pane as shown in the following image.
It’s very easy to detect the HTTP redirection when you have the columns visible. I LOVE the Apply as Column feature in Wireshark. When you want to hide a column, just right-click on the column heading and uncheck the column. To make the column visible again, just right-click on any column heading and check the column. Easy peasy!
Want to see a really interesting redirection process? Check out sec-getsplendid.pcapng. Watch the Host and Location columns as you look through the trace file.
TIP: As an alternative, consider applying an http.location display filter. You won’t see the desired target host, but you will see the target redirect locations.
Hack #8: Reassemble and Export Objects
In the wwb001-skyhigh.pcapng, the client downloads some interesting files from systemerror21767.ga. We can reassemble and export these objects to see AND hear what the user experienced when they visited systemerror21767.ga.
Wireshark can reassemble DiCOM, HTTP, IMF, FTP, SMB, and TFTP objects.
To reassemble the objects transferred via HTTP in this trace file, select File | Export Objects | HTTP. Select Save All, navigate to a directory, select a folder, and choose Select Folder.
Wireshark displays a list of objects seen during the HTTP sessions in the trace file.
Navigate to your folder and check out the objects reassembled and exported from this trace file. When you open the alert-1.png, alert-5.png, defender.png, and two error.mp3 files, you get a clear picture of what the user was presented when they clicked the link to find out the weather information for Tahoe.
WARNING: If you reassemble a malicious file downloaded by a host, you can infect your own system if you execute that file. You have, after all, downloaded the same file that the client downloaded.
Hack #9: Decrypt Traffic with an RSA Key
Wireshark can decrypt traffic as long as you provide a valid RSA key. It’s really quite a simple process – you just need the trace file of the traffic and the associated RSA key from the server.
Try this out yourself using rsasnakeoil2.pcapng and rsasnakeoil2.key. The .key file contains the RSA key used to encrypt the .pcapng file.
Wireshark cannot decrypt the traffic if a Diffie-Hellman Ephemeral cipher suite is used. Check the Cipher Suite field in the Server Hello packet to determine what cipher suite will be used for the communication.
To apply the rsasnakeoil2.key file to the rsasnakeoil2.pcapng file, open the file in Wireshark and select Edit | Preferences. Click the Add new keyfile… button and point to the rsasnakeoil2.key file on your system. Click OK.
If the traffic isn’t encrypted (look for an HTTP GET in frame 11), click the Reload button on the Wireshark’s main toolbar.
Hack #10: Embed a TLS Session Key in a Trace File
As of Wireshark v3, you can now embed a TLS session key in a trace file and hand that file off to someone else for analysis. You don’t need to share the RSA key used to decrypt the file (as shown in Hack #9) or hand off a separate session key with instructions to apply it to the file.
First, you need to get the session key. You must decrypt the traffic first (see Hack #9), then select File | Export TLS Session Keys…
Give your session key a name. Wireshark automatically adds .keys to the name if you do not include an extension. In my example, I called my TLS session key “rsasnakeoil2session.keys.”
Now we can (1) remove the RSA key applied to the file (Edit | Preferences | RSA Keys | select key | Remove key), and (2) embed the session key into the file using Editcap (the command-line tool installed with Wireshark).
The basic syntax used to embed a session key is shown below:
editcap --inject-secrets <protocol>,<session.key> <encryptedfile.pcapng> <unencryptedfile.pcapng>
Based on this syntax, my command will be:
editcap --inject-secrets tls,rsasnakeoil2session.keys rsasnakeoil2.pcapng rsadecrypt.pcapng
Now, I can share the new rsadecrypt.pcapng file with anyone, and they can view and analyze the decrypted traffic. Nice, eh?
Don’t Stop with These Top 10 Uses of Wireshark
Hopefully these Top 10 Uses of Wireshark (5 foundational and 5 advanced tactics) help to better understand an attacker’s mindset and how to analyze networks by yourself as well as with other team members. Wireshark is in constant development, so we’re sure to see additional features and functionality making it even easier to perform troubleshooting and network forensic investigations.
Feeling that swagger yet? Maybe not if you just read this article. Trust me… if you download the trace file and work through each of these examples in their entirety as well as play around on your own, you’ll be strutting down the hallways and deservedly so.
In the coming months, we’ll tackle additional usage of Wireshark for the ethical hacking community. Until then, keep playing! Once you learn to bend Wireshark to your will and expose all of the secrets hidden in your traffic, you’ll actually see that finding the bad guys is actually quite fun. Let us know in the Comments Section below what you thought of this two-part series and what you’d like to see in the future.
Laura Chappell is the Founder of Protocol Analysis Institute, Inc., Founder of Chappell University, and the creator of the WCNA Certification program (formerly known as the Wireshark Certified Network Analyst certification program). Laura teaches Wireshark courses online and offers on-demand training through the All Access Pass (www.chappell.talentlms.com).
Since 1991, Laura has been living, eating, and breathing in the packet-level world. Besides being the author of numerous best-selling books on network analysis, troubleshooting, and network forensics, Laura is hailed as a top-notch, entertaining presenter who can detail the most effective methods to locate network issues.
Laura Chappell can be reached via www.chappell-university.com, www.wcnacertification.com, and on Twitter, LinkedIn, and Facebook. Get the latest information on Laura’s research, writing, and presentations by signing up for her “In Laura’s Lab” Newsletter at www.chappell-university.com.advanced chappell decrypt highlight https network forensics tls tools tutorial wireshark