Didier Stevens

Monday 18 May 2015

Howto: Install Wireshark Dissectors

Filed under: My Software,Wireshark — Didier Stevens @ 0:00

I teach a Wireshark class at Brucon 2015.

If you want to use my Wireshark dissectors like TCP Flag dissector, but don’t know how to install a Wireshark dissector, then watch this video howto:

Monday 2 February 2015

AirPcap Channel Hopping With Python

Filed under: Didier Stevens Labs,My Software,WiFi,Wireshark — Didier Stevens @ 0:00

I’m teaching a Wireshark WiFi and Lua 2-day class at Brucon Spring Training 2015. You get an AirPcap packet capture adapter when you attend this class.

I made a modification to my Python program to do channel hopping with the AirPcap adapter. Now you can specify a sequence of channels with option -c.

20150201-142106
apc-channel_v0_2.zip (https)
MD5: 52169F5CB679E6C0DF1F8D47DA38F779
SHA256: 59F4BEE229F5EF5B7AF27BAF6AA972DCDC9E6A6007E8E468AE7BC7C3F1CB89DD

Tuesday 10 June 2014

Packet Class: Wireshark – Import Hex Dump

Filed under: 010 Editor,My Software,Wireshark — Didier Stevens @ 20:34

During my “Packet Class: Wireshark” training, we do an exercise on importing a hex dump in Wireshark.

I recently created a 010 Editor script to help with the creation of hex dumps for Wireshark.

This video shows its usage:

Monday 12 May 2014

Video: “Packet Class: Wireshark – Lua Protocol Dissectors”

Filed under: Networking,Wireshark — Didier Stevens @ 21:02

In this video, I’m trying to give you an idea of what you can expect in my “Packet Class: Wireshark” training when we will cover protocol dissectors written in Lua.

Monday 28 April 2014

TCP Flags for Wireshark

Filed under: My Software,Networking,Wireshark — Didier Stevens @ 20:03

This is a topic I’m teaching in my “Packet Class: Wireshark” training in Amsterdam next month.

20140404-112631

You can configure Wireshark to display TCP flags like Snort does. One way to do this, is to create a post-dissector and then add a column with its output (like in the screenshot above).

I developed a Wireshark Lua dissector generator. You provide it some definitions, like this:

[dissector]
file_prefix = tcp-flags
type = postdissector
description = Wireshark Lua tcp-flags postdissector example

[protocol]
proto = tcpflags
description = TCP Flags Postdissector

[protocolfields]
field_1 = flags
description_a_1 = TCP Flags
description_b_1 = The TCP Flags

[fields]
field_1 = tcp.flags

And then my Python program lua-dissector-generator.py takes this input and generates a Lua post-dissector with one new protocol + field, using an existing field.

--[[
	2014/02/21 - 2014/02/21
	tcp-flags-postdissector.lua V0.0.1
	Wireshark Lua tcp-flags postdissector example

	Source code by Didier Stevens, GPL according to Wireshark Foundation ToS
	https://DidierStevens.com
	Use at your own risk

	Shortcommings, or todo's 😉

	History:
		2014/02/21: start
--]]

local function DefineAndRegister_tcpflags_postdissector()
	local oProto_tcpflags = Proto('tcpflags', 'TCP Flags Postdissector')

	local oProtoFieldflags = ProtoField.string('tcpflags.flags', 'TCP Flags', 'The TCP Flags')

	oProto_tcpflags.fields = {oProtoFieldflags}

	local oField_tcp_flags = Field.new('tcp.flags')

	function oProto_tcpflags.dissector(buffer, pinfo, tree)
		local tcp_flags = oField_tcp_flags()

		if tcp_flags ~= nil then
			local oSubtree = tree:add(oProto_tcpflags, 'TCP Flags')
			oSubtree:add(oProtoFieldflags, tcp_flags.value)
		end
	end

	register_postdissector(oProto_tcpflags)
end

local function Main()
	DefineAndRegister_tcpflags_postdissector()
end

Main()

Finally, we add functions to represent the individual TCP flags:


local function DecodeFlag(flags, mask, character)
	if bit.band(flags, mask) == 0 then
		return '*'
	else
		return character
	end
end

local function TCPFlagIntegerToSnort(tcpflags)
	local s_tcp_flags = ''

	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x80, 'C')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x40, 'E')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x20, 'U')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x10, 'A')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x08, 'P')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x04, 'R')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x02, 'S')
	s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x01, 'F')

	return s_tcp_flags
end

That’s it. You can download this post-dissector here:

wireshark-lua-dissectors_V0_0_3.zip (https)
MD5: 73F9BB860F2204DBDE7FF3A7E5CA413F
SHA256: 900A21C862973294AB25A8966299386BD058A352CEA21CA97BA546DA12964465

Friday 4 April 2014

Announcement: Wireshark Lua Dissectors

Filed under: Announcement,My Software,Networking,Wireshark — Didier Stevens @ 10:18

To promote my Hack In The Box Wireshark training, I’ll start to publish some Lua dissectors.

Here is a screenshot of my TCP Flags dissector. It was generated (and adapted) with my Wireshark Lua dissector generator. It displays TCP flags like Snort does.

You can clearly see the SYN – SYN/ACK – ACK phase of the first TCP connection (packets 1, 2 and 3).

20140404-112631

Friday 21 February 2014

The Credentials Listener

Filed under: Forensics,My Software,Networking,Wireshark — Didier Stevens @ 0:04

I’m taking SANS’ “SEC503 Intrusion Detection In-Depth” class here in Brussels.

One of the exercises consisted of extracting the passwords from a capture file of a FTP password dictionary attack.

I was at an advantage for this exercise 😉 I have a Lua script for Wireshark that extracts credentials (HTTP and FTP in this release).

20140221-005255

Notice that some entries have no username. A closer look at the capture file with Wireshark revealed missing segments (with the USER admin FTP command).

wireshark-tools-v0_0_1.zip (https)
MD5: 30232A81CBD0DEE275C2A3CDAF7E333C
SHA256: E45CE8AF5417A8A1C857FDF84F2FD92860738CF2E723A64A730F606D2C495064

Blog at WordPress.com.