Transcription
Wireshark Basics414C504F29/01/20191
Contents Traffic capture and traffic filtering withWireshark SSL ManInTheMiddle with Wireshark WLAN traffic ManInTheMiddle withWireshark29/01/20192
Wireshark Packet analyser / traffic snifferOpen-sourceCross-platformFancy GUIhttps://www.wireshark.org/29/01/20193
Data packets capturingTo start capturing Select a network interface Click on the blue shark finbutton / press Ctrl ETo stop capturing st capturing Click on the red stopbutton / press Ctrl E29/01/20194
Data packets capturing29/01/20195
Data packets capturingTop frame:Number Time Source Destination Protocol Length InfoMiddle frame example:st capturing Frame Linux cooked capture Internet protocol version, source, destination Transmission control protocol, src port, dst port, seq, lenBottom frame:Data29/01/20196
Data packets capturingTop frame:Number Time Source Destination Protocol Length InfoMiddle frame example:st capturing Frame Linux cooked capture Internet protocol version, source, destination Transmission control protocol, src port, dst port, seq, lenBottom frame:Data29/01/20197
Data packets capturingTop frame:Number Time Source Destination Protocol Length InfoMiddle frame example:st capturing Frame Linux cooked capture Internet protocol version, source, destination Transmission control protocol, src port, dst port, seq, lenBottom frame:Data29/01/20198
Data packets capturingTop frame:Number Time Source Destination Protocol Length InfoMiddle frame example:st capturing Frame Linux cooked capture Internet protocol version, source, destination Transmission control protocol, src port, dst port, seq, lenBottom frame:Data29/01/20199
Wireshark FiltersThere are 2 ways to filter: Build a filter via the fancy GUI (Expression button) Type a filter into the “Apply a display filter” entryfield (below the toolbar) 910
Wireshark FiltersThere are 2 ways to filter: Build a filter via the fancy GUI (Expression button) Type a filter into the “Apply a display filter” entryfield (below the toolbar) 911
Wireshark Filters RelationsEnglisheqnegtltgelecontainsC-like ! matches bitwise and&29/01/2019Description and exampleEqual. ip.src 10.0.0.5Not equal. ip.src! 10.0.0.5Greater than. frame.len 10Less than. frame.len 128Greater than or equal to. frame.len ge 0x100Less than or equal to. frame.len 0x20Protocol, field or slice contains a value. sip.To contains"a1762"Protocol or text field match Perl regualar expression.http.host matches "acme\.(org com net)"Compare bit field value. tcp.flags & 0x0212Source: https://www.wireshark.org/docs/wsug html chunked/ChWorkBuildDisplayFilterSection.html
Wireshark Combining ExpressionsEnglishandorxorC-like&& not[ ]in!29/01/2019Description and exampleLogical AND. ip.src 10.0.0.5 and tcp.flags.finLogical OR. ip.scr 10.0.0.5 or ip.src 192.1.1.1Logical XOR. tr.dst[0:3] 0.6.29 xor tr.src[0:3] 0.6.29Logical NOT. not llcSlice Operator. eth.addr[0:3] 00:06:5BMembership Operator. tcp.port in {80 443 8080}13Source: https://www.wireshark.org/docs/wsug html //wiki.wireshark.org/DisplayFilters
Most common Wireshark filterstcp.port eq 80tcp.srcport 443Filter for HTTP and HTTPS traffic:tcp.port 443 or tcp.port 80ssl or httptcp.port in {80 443 8080}tcp.port 80 tcp.port 443 tcp.port 808029/01/201914
Most common Wireshark filtersFilter for a protocol:tcpudpdnsIP addresses:ip.addr 10.43.54.65! ( ip.addr 10.43.54.65 )29/01/201915
Most common Wireshark filtersExamples for web traffic:http.request.uri https://www.wireshark.org/http.host matches "acme\.(org com net)"http.response.code 200http.request.method "GET“tcp contains "admin"29/01/201916
Wireshark filters logicFilter for http traffic with specific addresses and frametime and not 200 response (e.g. you want to see 301Moved permanently and 500 Server error packets):http && ( (ip.dst 192.168.178.27 ) (ip.dst 193.70.91.56 ) ) && frame.time "2019-01-2400:01:00.0000" && frame.time "2019-01-2515:01:53.0000" && http.response.code ! 20029/01/201917
Follow the streamSelect a Packet Rightmouse click Follow HTTP Stream29/01/201918
What if I told you That you can sort the traffic just by clicking thecolomn names.That you can search for strings in packets using Edit Find Packet. (Ctrl F)29/01/201919
Contents SSL ManInTheMiddle with Wireshark (Linuxedition)29/01/201920
SSL ManInTheMiddle with WiresharkTo test the decryption of SSL traffic with Wireshark: Create private keys of the server and the client Start a server which uses the certificate with the keyand send some test packets Configure Wireshark29/01/201921
Create certificatesCreate a server certificate# openssl req -new -x509 -out server.crt -nodes-keyout server.pem -subj /CN localhostCreate a client certificate# openssl req -new -x509 -nodes -out client.crt-keyout client.key -subj /CN Moi/O Foo/C NL29/01/201922
Start a serverStart a server at localhost:4443# openssl s server -cipher AES256-SHA -accept 4443 www -CAfile client.crt -verify 1 -key server.pem cert server.crt29/01/201923
Start a serverStart a server at localhost:4443build7R7 1 # openssl s server -cipher AES256-SHA accept 4443 -www -CAfile client.crt -verify 1 -keyserver.pem -cert server.crt29/01/201924
Send a request with python(3) and stopthe captureimport urllib.requestimport sslcontext ssl. create unverified host:4443/",context context) as url:s url.read()print(s)29/01/201925
Traffic captured29/01/201926
Configure wiresharkEdit PreferencesOn the left: Protocols SSLRSA keys list: press „Edit.“ and add via „ “IP address – anyPort – 4443Protocol – httpKey file – /./server.pemPassword –29/01/201927
Configure wiresharkEdit PreferencesOn the left: Protocols SSLRSA keys list: press „Edit.“ and add via „ “IP address – anyPort – 4443Protocol – httpKey file – /./server.pemPassword –29/01/201928
Configure wiresharkSSL debug file (file with decrypted output):/./wiresharklog.txtCheck „Reassemble SSL records spanning multiple TCP segments“Check „Reassemble SSL Application Data spanning multiple SSL records“Don’t check “Message Authentication Code (MAC), ignore “mac failed”Pre-Shared-Key (left empty):(Pre)-Master-Secret log filename:/./client.key29/01/201929
Configure wiresharkSSL debug file (file to look for decrypted output!):/./wiresharklog.txtCheck „Reassemble SSL records spanning multiple TCP segments“Check „Reassemble SSL Application Data spanning multiple SSL records“Don’t check “Message Authentication Code (MAC), ignore “mac failed”Pre-Shared-Key (left empty):(Pre)-Master-Secret log filename:/./client.key29/01/201930
Enjoy the decryption29/01/201931
Enjoy the decryption (proof)29/01/201932
SSL ManInTheMiddle (the easy way)Set the SSLKEYLOGFILE environment variable and enterit’s value under (Pre)-Master-Secret log 29/01/201933
Bedtime ireshark-ssltls-decryption29/01/201934
Contents WLAN traffic ManInTheMiddle withWireshark29/01/201935
Data packets capturingTo start capturing Select the WLAN networkinterface Click on the blue shark finbutton / press Ctrl E29/01/201936
Example: Establishing a WLAN connection29/01/201937
Example: HTTP/HTTPS traffic capture on wlan0interface29/01/201938
Decrypt traffic with a known keyEdit PreferencesOn the left: Protocols IEEE 802.11And add a decryption key29/01/201939
Decrypt with known keyEdit PreferencesOn the left: Protocols IEEE 802.11And add a decryption key29/01/201940
Further 9/01/201941
Wireshark Advanced414C504F29/01/201942
Contents Wireshark parsers (dissectors)29/01/201943
Wireshark dissectorsDisscectors are parsers/custom scripts to analizepackets’ data.Can be implemented In Lua language In C language29/01/201944
Wireshark Lua dissectorshelloworld.lua (saved under /usr/lib/x86 d.lua):local splash TextWindow.new("Hello World!");29/01/201945
Wireshark Lua dissectorsThe dissector will be executed on Wireshark’s start. The scripthas to be saved in the Plugin directory in this case, e.g.# locate wireshark grep -iE 'plugins'/usr/lib/x86 64-linux-gnu/wireshark/plugins/2.2.6Alternatively, you can enforce the execution of a Lua dissector byrunning the dofile command under Tools Lua Evaluatedofile("path/to/file.lua")29/01/201946
Wireshark Lua dissectorsThe dissector will be executed on Wireshark’s start. The scripthas to be saved in the Plugin directory, e.g.# locate wireshark grep -iE 'plugins'/usr/lib/x86 64-linux-gnu/wireshark/plugins/2.2.6Alternatively, you can enforce the execution of a Lua dissector byrunning the dofile command under Tools Lua Evaluatedofile("path/to/file.lua")29/01/201947
Wireshark Lua dissectorsThe dissector will be executed on Wireshark’s start. The scripthas to be saved in the Plugin directory, e.g.# locate wireshark grep -iE 'plugins'/usr/lib/x86 64-linux-gnu/wireshark/plugins/2.2.6Alternatively, you can enforce the execution of a Lua dissector byrunning the dofile command under Tools Lua Evaluatedofile("path/to/file.lua")29/01/201948
Lua basics Is a multi-paradigm language (supports procedural style,functional programming, has some object-orientedprogramming features) dynamically typed supports atomic data structures such as– boolean values,– numbers (double-precision floating point and 64-bitintegers by default),– strings,– tables (for arrays/sets/lists)29/01/201949
Lua basics -- means comment Not equal in conditionals is Loops: while, repeat until (similar to a do whileloop), for (numeric), for (generic). Use i i 1 instead of or nil for null29/01/201950
Lua basics Function examplefunction add(x, y)return x yendlocal splash TextWindow.new(add(3,6));29/01/201951
Lua basics Function examplefunction add(x, y)return x yendlocal splash TextWindow.new(add(3,6));29/01/201952
Lua basics (function example #2)5329/01/2019Credits: https://en.wikipedia.org/wiki/Lua (programming language)
Lua basics (function example #2)5429/01/2019Credits: https://en.wikipedia.org/wiki/Lua (programming language)
Editing columns example5529/01/2019Source: https://wiki.wireshark.org/Lua/Examples
Editing columns example (before lua)5629/01/2019Source: https://wiki.wireshark.org/Lua/Examples
Editing columns example (after execution)Note: will only work at Wireshark’s start (save the script in the Pluginsfolder before)29/01/201957
Editing trees example29/01/201958Source: https://wiki.wireshark.org/LuaAPI/TreeItem
Editing trees example29/01/201959Source: https://wiki.wireshark.org/LuaAPI/TreeItem
Editing trees example29/01/201960
Editing trees example29/01/201961
HTTP ExampleEdit the script so that it works for HTTP protocol on port 80Add a function e.g. addition of 2 values output the result in a tree field29/01/201962
HTTP Example29/01/201963
HTTP Example29/01/201964
Exercise Develop a dissector to encode the request body of aHTTP packet into the Base64 format(if you know how to encode it, you will probably beable to decode it;))29/01/201965
Exercise Develop a dissector to encode the request body of aHTTP packet into the Base64 format(if you know how to encode it, you will probably beable to decode ster/base64.lua29/01/201966
Exercise (solution) Replace the addxy function with the code master/base64.lua Edit proto foo.dissector as follows:29/01/201967
Exercise (solution) Replace the addxy function with the code master/base64.lua Edit the proto foo.dissector function as follows:29/01/201968
Exercise (solution) Replace the addxy function with the code master/base64.lua Edit the proto foo.dissector function as follows:29/01/201969
Exercise (solution, proof) Decode as a prooft:set text(from base64(to base64(tostring(buf()))) )29/01/201970
Exercise (solution) Decode as a prooft:set text(from base64(to base64(tostring(buf()))) )29/01/201971
What’s next?29/01/201972
What’s next?29/01/201973
What’s next?Modify/resend packets? use Burp, OWASP ZAP etc. proxy forHTTP/HTTPS, tcpreplay, tcprewrite, tcpreplay-edit Canape (if you dare)29/01/201974
Questions/Feedback?E-mail: 414C504F@tuta.ioGithub: https://github.com/414C504F29/01/201975
Thanks!29/01/201976
SSL ManInTheMiddle with Wireshark To test the decryption of SSL traffic with Wireshark: Create private keys of the server and the client Start a server which uses the certificate with