8 January 2020
If your current capture process can’t keep up with the traffic and drops packets – you need a new capture process. No debates here. Analyzing a trace file in which you don’t have all the packets of interest will waste your time. You aren’t seeing a true picture of the traffic, and, when you analyze the trace file in Wireshark after the capture, you will likely see the 'Expert' complain about problems which don’t actually exist. There is a solution, and you may not even realize that you already have it: Tshark! When you installed Wireshark, you likely also installed a set of command-line interface (CLI) tools into the Wireshark program file directory. One of these CLI tools is Tshark. Tshark can be used to capture and analyze traffic. It offers more functionality than the standard tcpdump and may become your go-to tool to grab the right packets from the network.
27 August 2019
In a world... OK, just kidding. This isn't a movie trailer. However, the ever-increasing sophistication of attacks on our networks is no joking matter. To bypass firewalls, IDS/IPS, EPS, DLP and a plethora of solutions aimed at stemming the tide, criminal hackers are upping their game regularly. It's up to us in the ethical hacking world to keep up both in understanding their attacks from an offensive perspective (red team) but also how to then find them for future prevention from the defensive side (blue team). In the end, all of the evidence is right there in the packets somewhere. You just need the advanced skills to help you and your team become the movie stars of your organization. Good thing we have the best tool in Wireshark for the job, and extensive research and experience on that tool to show you how. In Top 10 Uses of Wireshark for Hackers Part I, we started with a crawl by creating a baseline and some passive discovery hacks. We then detected suspicious traffic on the network and later reassembled the traffic elements to pick out some particularly interesting content. Here in Part II, we force Wireshark to properly dissect traffic that is using a non-standard port number and add some columns to speed up the detection of a malicious HTTP redirection. We will finish up by decrypting TLS traffic and creating a trace file that contains an embedded TLS session key for easing interactions with other team members. It's time to get your advanced Wireshark skills [...]
26 July 2019
Wireshark fits nicely in any toolbox of the network forensic analyst and ethical hacker. From hundreds of dissectors that decode the protocol and application fields, to the customization capability that enables you to find that one item of interest in a sea of packets, Wireshark gives you all the necessary insights into traffic. “Wireshark for Hackers” will be a two-part series where we will attempt to turn your crawl into a walk… and maybe even a little swagger. In Part I, we will start with some less-sexy baseline and passive discovery hacks with Wireshark. They’re necessary skills, but they won’t be included in a top-ranked film anytime soon. We will then detect unsecured and suspicious traffic on the network and later reassemble some of the suspect traffic elements. Then stay tuned for Part II next month, where we’ll force Wireshark to properly dissect traffic that is using a non-standard port number and add some columns to speed up the detection of a malicious HTTP redirection. We will finish up by decrypting TLS traffic and creating a trace file that contains an embedded TLS session key.