Wireshark for Security Professionals E-Book

Table of Contents

Cover

Title Page

Introduction

Overview of the Book and Technology

How This Book Is Organized

Who Should Read This Book

Tools You Will Need

What's on the Website

Summary

Chapter 1: Introducing Wireshark

What Is Wireshark?

The Wireshark User Interface

Filters

Summary

Exercises

Chapter 2: Setting Up the Lab

Kali Linux

Virtualization

VirtualBox

The W4SP Lab

Summary

Exercises

Chapter 3: The Fundamentals

Networking

Security

Packet and Protocol Analysis

Summary

Exercises

Chapter 4: Capturing Packets

Sniffing

Dealing with the Network

Loading and Saving Capture Files

Dissectors

Viewing Someone Else's Captures

Summary

Exercises

Chapter 5: Diagnosing Attacks

Attack Type: Man-in-the-Middle

Attack Type: Denial of Service

Attack Type: Advanced Persistent Threat

Summary

Exercises

Chapter 6: Offensive Wireshark

Attack Methodology

Reconnaissance Using Wireshark

Evading IPS/IDS

Exploitation

Remote Capture over SSH

Summary

Exercises

Chapter 7: Decrypting TLS, Capturing USB, Keyloggers, and Network Graphing

Decrypting SSL/TLS

USB and Wireshark

Graphing the Network

Summary

Exercises

Chapter 8: Scripting with Lua

Why Lua?

Scripting Basics

Setup

Tools

Creating Dissectors for Wireshark

Extending Wireshark

Summary

End User License Agreement

Pages

ii

iii

iv

v

vi

vii

viii

xiii

xiv

xv

xvi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

Guide

Table of Contents

Begin Reading

List of Illustrations

Chapter 1: Introducing Wireshark

Figure 1-1: The Wireshark home screen

Figure 1-2: The Packet List pane

Figure 1-3: The Packet Details pane

Figure 1-4: Field information in the status bar

Figure 1-5: ARP packet Opcode

Figure 1-6: Filter results of ARP from a source address

Figure 1-7: Complex display filter example

Chapter 2: Setting Up the Lab

Figure 2-1: Getting SHA-256 file hash in PowerShell

Figure 2-2: VirtualBox SHA-256 checksums

Figure 2-3: VirtualBox installation window

Figure 2-4: VirtualBox feature selection

Figure 2-5: VirtualBox shortcut creation

Figure 2-6: VirtualBox networking warning

Figure 2-7: VirtualBox installation window

Figure 2-8: VirtualBox installation status

Figure 2-9: VirtualBox driver installation prompt

Figure 2-10: VirtualBox installation finished

Figure 2-11: VirtualBox GUI and restart window

Figure 2-12: VirtualBox Extension Pack download

Figure 2-13: VirtualBox Extension Pack preferences

Figure 2-14: VirtualBox Extension Pack installation

Figure 2-15: Successful VirtualBox Extension Pack installation

Figure 2-16: Kali download web page

Figure 2-17: Creating a new virtual machine

Figure 2-18: Selecting virtual machine memory

Figure 2-19: Creating virtual disk

Figure 2-20: Selecting virtual disk type

Figure 2-21: Storage on physical disk

Figure 2-22: Virtual disk size

Figure 2-23: Enabling PAE

Figure 2-24: Selecting start-up disk

Figure 2-25: Kali boot menu

Figure 2-26: Possible temporary error

Figure 2-27: Entering a hostname

Figure 2-28: Skipping the domain

Figure 2-29: Entering a root password

Figure 2-30: Partitioning the disk

Figure 2-31: Confirming the disk

Figure 2-32: Confirming a single partition

Figure 2-33: Writing changes to the disk

Figure 2-34: Confirming disk changes

Figure 2-35: The installation progress bar

Figure 2-36: The option for a network mirror

Figure 2-37: Network connection proxy

Figure 2-38: GRUB boot loader

Figure 2-39: Installation is complete

Figure 2-40: System settings

Figure 2-41: New user w4sp-lab

Figure 2-42: Firefox to GitHub

Figure 2-43: Saving the W4SP Lab file

Figure 2-44: Opening Terminal

Figure 2-45: Unzipping the W4SP Lab

Figure 2-46: Running the W4SP Lab installation script

Figure 2-47: Running the W4SP Lab setup

Figure 2-48: The full W4SP Lab network

Chapter 3: The Fundamentals

Figure 3-1: OSI layers in Wireshark

Figure 3-2: VirtualBox networking options

Figure 3-3: Malware signature code

Figure 3-4: Small Incoming Layer 2 frame

Figure 3-5: Smaller outgoing Layer 2 frame

Figure 3-6: Gratuitous ARP

Figure 3-7: TCP's 3-way handshake

Chapter 4: Capturing Packets

Figure 4-1: The Capture interfaces list

Figure 4-2: Superuser warning

Figure 4-3: New traffic

Figure 4-4: Renaming a network interface

Figure 4-5: Sample localhost ICMP traffic

Figure 4-6: Installing the loopback adapter on Windows

Figure 4-7: RawCap loopback sniffing

Figure 4-8: RawCap pcap in Wireshark

Figure 4-9: VirtualBox bridging

Figure 4-10: Wireshark sniffing bridged network

Figure 4-11: Capturing packets with a hub

Figure 4-12: Traffic when sniffing on a hub

Figure 4-13: SPAN sniffing connections

Figure 4-14: Throwing star LAN tap

Figure 4-15: Traffic flow when sniffing a Linux bridge

Figure 4-16: Raw wireless packets in Wireshark

Figure 4-17: The File Save dialog box

Figure 4-18: Properties of a capture file

Figure 4-19: Multiple file settings

Figure 4-20: Stop capture options

Figure 4-21: Setting multiple files and ring buffer

Figure 4-22: Resultant ring buffer files

Figure 4-23: Mergecap verbose

Figure 4-24: Mergecap complete

Figure 4-25: Clearing recent files

Figure 4-26: Changing the number of recent files shown

Figure 4-27: Wireshark's Decode As window

Figure 4-28: Wireshark's Decode As window

Figure 4-29: Packet list filtering for SMB

Figure 4-30: SMB packets referencing a file

Figure 4-31: Packet list filtered for NT Create calls

Figure 4-32: Adjusting packet colors

Figure 4-33: Colorizing conversations

Chapter 5: Diagnosing Attacks

Figure 5-1: Man-in-the-middle position

Figure 5-2: Ping and ARP transaction

Figure 5-3: W4SP Lab network

Figure 5-4: W4SP's vic1

Figure 5-5: LOCALSIP

Figure 5-6: Exploit in progress

Figure 5-7: ARP packets fly

Figure 5-8: FTP credentials to attacker

Figure 5-9: Expert information

Figure 5-10: Noting your IP address

Figure 5-11: DHCP module options

Figure 5-12: DHCP running

Figure 5-13: DNS settings done

Figure 5-14: DNS queries

Figure 5-15: Quieter fake DNS

Figure 5-16: FTP capturing

Figure 5-17: Mirai password list

Figure 5-18: Pingbed

Figure 5-19: Gh0st

Figure 5-20: Xinmic

Figure 5-21: Malware analysis practice

Chapter 6: Offensive Wireshark

Figure 6-1: W4SP Lab network

Figure 6-2: Nmap port scan

Figure 6-3: Nmap port scan in Wireshark

Figure 6-4: Open port in Wireshark

Figure 6-5: Metasploitable and its IP

Figure 6-6: Searching for the VSFTPD exploit

Figure 6-7: Exploit success but no shell

Figure 6-8: Exploit attempt in Wireshark

Figure 6-9: Exploit success with shell

Figure 6-10: Root shell command WHOAMI

Figure 6-11: Root in packet bytes

Figure 6-12: Metasploit RMI data

Figure 6-13: Metasploit HTTP JAR data

Figure 6-14: Metasploit hex dump

Figure 6-15: Unanswered SYNs

Figure 6-16: Filter for tcp/4444

Figure 6-17: Encrypted traffic

Figure 6-18: ELK

Figure 6-19: Time-field name

Figure 6-20: SSHdump install

Chapter 7: Decrypting TLS, Capturing USB, Keyloggers, and Network Graphing

Figure 7-1: Browsing to ftp1.labs

Figure 7-2: Follow TCP stream on SSL/TLS traffic

Figure 7-3: Wireshark SSL/TLS protocol options

Figure 7-4: Setting up SSL/TLS decryption

Figure 7-5: Decrypting TLS traffic in Wireshark

Figure 7-6: Adding SSLKEYLOGFILE

Figure 7-7: Decrypted SSL/TLS data

Figure 7-8: USB device overview

Figure 7-9: usbmon interfaces

Figure 7-10: Connecting USB device to Kali VM

Figure 7-11: Wireshark usbmon error

Figure 7-12: Capturing on usbmon2

Figure 7-13: USBPcap device list

Figure 7-14: USBPcap running a capture

Figure 7-15: Filtering USB traffic to host

Figure 7-16: HID key codes

Figure 7-17: TShark key sniffer

Figure 7-18: TShark-generated network graph

Chapter 8: Scripting with Lua

Figure 8-1: Lua Interactive Interpreter

Figure 8-2: Wireshark About page

Figure 8-3: Lua in Tools menu

Figure 8-4: Lua Console in Wireshark

Figure 8-5: Wireshark Evaluate Lua

Figure 8-6: Wireshark without a dissector

Figure 8-7: Our protocol fields

Figure 8-8: Sample protocol hexdump

Figure 8-9: Tree items in Wireshark

Figure 8-10: Running direction script

Figure 8-11: Finding a suspicious packet

List of Tables

Chapter 1: Introducing Wireshark

Table 1-1: Comparison Operators

Table 1-2: Logical Operators

Chapter 4: Capturing Packets

Table 4-1: Common Wireshark Capture File Formats

Chapter 5: Diagnosing Attacks

Table 5-1: Exploit Options

Table 5-2: Well-Known DoS Tools

Wireshark® for Security Professionals

Using Wireshark and the Metasploit® Framework

Introduction

Welcome to Wireshark for Security Professionals. This was an exciting book for us to write. A combined effort of a few people with varied backgrounds—spanning information security, software development, and online virtual lab development and teaching—this book should appeal and relate to many people.

Wireshark is the tool for capturing and analyzing network traffic. Originally named Ethereal but changed in 2006, Wireshark is well established and respected among your peers. But you already knew that, or why would you invest your time and money in this book? What you're really here for is to delve into how Wireshark makes your job easier and your skills more effective.

Overview of the Book and Technology

This book hopes to meet three goals:

Broaden the information security professional's skillset through Wireshark.

Provide learning resources, including labs and exercises, to apply what you learn.

Demonstrate how Wireshark helps with real-life scenarios through Lua scripting.

The book isn't only for reading; it's for doing. Any Wireshark book can show how wonderful Wireshark can be, but this book also gives you opportunities to practice the craft, hone your skills, and master the features Wireshark offers.

These opportunities come in a few forms. First, to apply what's in the text, you will practice in labs. You build the lab environment early on the book and put it to use throughout the chapters that follow. The second opportunity for practice is at the end of each chapter, save the last Lua scripting chapter. The end-of-chapter exercises largely build on the labs to challenge you again, but with far less hand-holding. Between the labs and exercises, your time spent with Wireshark ensures time spent reading is not forgotten.

The lab environment was created using containerization technology, resulting in a fairly lightweight virtual environment to be installed and run on your own system. The whole environment was designed specifically for you, the book reader, to practice the book's content. These labs were developed and are maintained by one of the authors, Jessey Bullock. The source code for the labs is available online. See Chapter 2 for specifics.

In short, this book is a hands-on, practice-oriented Wireshark guide created for you, the information security professional. The exercises will help you to keep you advancing your Wireshark expertise long after the last page.

How This Book Is Organized

The book is structured on the assumption that readers will start from the beginning and then work through the main content. The initial three chapters not only introduce the title application Wireshark but also the technology to be used for the labs, along with the basic concepts required of the reader. Readers already familiar with Wireshark should still work through the lab setup chapter, since future chapters depend on the work being done. These first three chapters are necessary to cover first, before putting the following chapters to use.

The majority of the book that follows is structured to discuss Wireshark in the context of information security. Whether capturing, analyzing, or confirming attacks, the book's main content and its labs are designed to most benefit information security professionals.

The final chapter is built around the scripting language Lua. Lua greatly increases Wireshark's flexability as an already powerful network analyzer. Initially, the Lua scripts were scattered thoughout chapters, but they were later combined into a single chapter all their own. It was also appreciated that not all readers are coders, so Lua scripts are better served through one go-to resource.

Here's a summary of the book's contents:

Chapter 1, “Introducing Wireshark,” is best for the professional with little to no experience with Wireshark. The main goal is to help you avoid being overwhelmed, introduce the interface, and show how Wireshark can be your friend.

Chapter 2, “Setting Up the Lab,” is not to be skipped. Starting with setting up a virtualized machine, this chapter then sets up the W4SP Lab, which you will use several times in upcoming chapters.

Chapter 3, “The Fundamentals,” covers basic concepts and is divided into three parts: networking, information security, and packet analysis. The book assumes most readers might be familiar with at least one or two areas, but the chapter makes no assumptions.

Chapter 4, “Capturing Packets,” discusses network captures, or the recording of network packets. We take a deep dive into how Wireshark captures, manipulates capture files, and interprets the packets. There's also a discussion around working with the variety of devices you encounter on a network.

Chapter 5, “Diagnosing Attacks,” makes good use of the W4SP Lab, re-creating various attacks commonly seen in the real world. Man in the middle attacks, spoofing various services, denial of service attacks and more are all discussed.

Chapter 6, “Offensive Wireshark,” also covers malicous traffic, but from the hacker's perspective. Wireshark and the W4SP Lab are again relied on to launch, debug, and understand exploits.

Chapter 7, “Decrypting TLS, Capturing USB, Keyloggers, and Network Graphing,” is a mash-up of more activities as we leverage Wireshark. From decrypting SSL/TLS traffic to capturing USB traffic across multiple platforms, this chapter promises to demonstrate something you can use wherever you work or play.

Chapter 8, “Scripting with Lua,” contains about 95% of the book's script content. It starts simple with scripting concepts and Lua setup, whether you're working on Windows or Linux. Scripts start with “Hello, World” but lead to packet counting and far more complex topics. Your scripts will both enhance the Wireshark graphic interface and run from the command line.

Who Should Read This Book

To claim this book is for security professionals might be specific enough to the general IT crowd. However, to most information security professionals, it's still too broad a category. Most of us specialize in some way or another, and identify ourselves by our role or current passion. Some examples include firewall administrator, network security engineer, malware analyst, and incident responder.

Wireshark is not limited to just one or two of those roles. The need for Wireshark can be found in roles such as penetration tester or ethical hacker—roles defined by being proactive and engaging. Additional roles like forensics analyst, vulnerability tester, and developer also benefit from being familiar with Wireshark. We'll show this through examples in the book.

Regarding expectations on the reader, the book makes no assumptions. Information security specializations vary enough so that someone with 15 years of experience in one field is likely a novice in other fields. Wireshark offers value for anyone in those fields, but it does expect a basic understanding of networking, security and how protocols work. Chapter 3 ensures we're all on the same page.

Any reader must be technically savy enough to install software or understand systems are networked. And since the book targets security professionals, we presume a fundamental level for information security. Still, as far as “fundamentals” go, Chapter 3 acts as a refresher for what's necessary around networking, information security, and packet and protocol analysis.

Further in the book, Wireshark is used in the context of various roles, but there's no experience requirement for grasping the content or making use of the labs. For example, the tools used in Chapter 6, “Offensive Wireshark” might be already familiar to the penetration tester, but the chapter assumes zero experience when instructing setup.

To sum up, we understand there is a wide spectrum of possible roles and experience levels. You might be employed in one of these roles and want to use Wireshark more. Or you might be getting ready to take on one of these roles, and recognize Wireshark as essential tool to use. In either case, this book is for you.

Tools You Will Need

The one tool required for this book is a system. Your system does not need to be especially powerful; at the most a few years old would be best. Your system will be first used in Chapter 2, “Setting Up the Lab.” You first install and set up a virtualized machine. Then upon that virtual machine you will set up the labs.

Of course, this book can benefit those without a system, but a system is needed to perform the labs referenced throughout the book.

What's on the Website

The primary website needed for this book is the GitHub repository for the W4SP Lab code. The GitHub repo and its contents are explained further in Chapter 2, “Setting Up the Lab,” where you first download and build the virtual lab environment. Then the Lab files are installed onto your virtual machine.

Other websites are cited throughout the book, mostly as pointers for additional resources. For example, some sites hold hundreds of network capture files that are available for analysis.

Summary

This is where the authors are at the edge of our seats, hoping you will leap into and enjoy the book, its materials, and the labs. A lot of thought and effort went into this book. Our only desire was to create a resource that inspired more people to have a deeper appreciation of Wireshark. Being information security professionals ourselves, we crafted this book for our peers.