For NVISO, I’m providing Wireshark training at BruCON Spring 2018: Wireshark and Lua Programming.
In the following video, I show how to add comments to packets and capture files in Wireshark:
For NVISO, I’m providing Wireshark training at BruCON Spring 2018: Wireshark and Lua Programming.
In the following video, I show how to add comments to packets and capture files in Wireshark:
Following streams (like TCP connections) in Wireshark provides a different view on network traffic: in stead of individual packets, one can see data flowing between client & server.
There is a difference between following a TCP stream and an HTTP stream. For example, if the data downloaded from the webserver is gzip compressed, following the TCP stream will display the compressed data, while following the HTTP stream will display the decompressed data.
I illustrate this in the following video:
I teach a Wireshark class at Brucon 2015.
If you want to use my Wireshark dissectors like TCP Flag dissector, but don’t know how to install a Wireshark dissector, then watch this video howto:
I’m teaching a Wireshark WiFi and Lua 2-day class at Brucon Spring Training 2015. You get an AirPcap packet capture adapter when you attend this class.
I made a modification to my Python program to do channel hopping with the AirPcap adapter. Now you can specify a sequence of channels with option -c.
apc-channel_v0_2.zip (https)
MD5: 52169F5CB679E6C0DF1F8D47DA38F779
SHA256: 59F4BEE229F5EF5B7AF27BAF6AA972DCDC9E6A6007E8E468AE7BC7C3F1CB89DD
During my “Packet Class: Wireshark” training, we do an exercise on importing a hex dump in Wireshark.
I recently created a 010 Editor script to help with the creation of hex dumps for Wireshark.
This video shows its usage:
In this video, I’m trying to give you an idea of what you can expect in my “Packet Class: Wireshark” training when we will cover protocol dissectors written in Lua.
This is a topic I’m teaching in my “Packet Class: Wireshark” training in Amsterdam next month.
You can configure Wireshark to display TCP flags like Snort does. One way to do this, is to create a post-dissector and then add a column with its output (like in the screenshot above).
I developed a Wireshark Lua dissector generator. You provide it some definitions, like this:
[dissector] file_prefix = tcp-flags type = postdissector description = Wireshark Lua tcp-flags postdissector example [protocol] proto = tcpflags description = TCP Flags Postdissector [protocolfields] field_1 = flags description_a_1 = TCP Flags description_b_1 = The TCP Flags [fields] field_1 = tcp.flags
And then my Python program lua-dissector-generator.py takes this input and generates a Lua post-dissector with one new protocol + field, using an existing field.
--[[ 2014/02/21 - 2014/02/21 tcp-flags-postdissector.lua V0.0.1 Wireshark Lua tcp-flags postdissector example Source code by Didier Stevens, GPL according to Wireshark Foundation ToS https://DidierStevens.com Use at your own risk Shortcommings, or todo's 😉 History: 2014/02/21: start --]] local function DefineAndRegister_tcpflags_postdissector() local oProto_tcpflags = Proto('tcpflags', 'TCP Flags Postdissector') local oProtoFieldflags = ProtoField.string('tcpflags.flags', 'TCP Flags', 'The TCP Flags') oProto_tcpflags.fields = {oProtoFieldflags} local oField_tcp_flags = Field.new('tcp.flags') function oProto_tcpflags.dissector(buffer, pinfo, tree) local tcp_flags = oField_tcp_flags() if tcp_flags ~= nil then local oSubtree = tree:add(oProto_tcpflags, 'TCP Flags') oSubtree:add(oProtoFieldflags, tcp_flags.value) end end register_postdissector(oProto_tcpflags) end local function Main() DefineAndRegister_tcpflags_postdissector() end Main()
Finally, we add functions to represent the individual TCP flags:
local function DecodeFlag(flags, mask, character) if bit.band(flags, mask) == 0 then return '*' else return character end end local function TCPFlagIntegerToSnort(tcpflags) local s_tcp_flags = '' s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x80, 'C') s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x40, 'E') s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x20, 'U') s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x10, 'A') s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x08, 'P') s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x04, 'R') s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x02, 'S') s_tcp_flags = s_tcp_flags .. DecodeFlag(tcpflags, 0x01, 'F') return s_tcp_flags end
That’s it. You can download this post-dissector here:
wireshark-lua-dissectors_V0_0_3.zip (https)
MD5: 73F9BB860F2204DBDE7FF3A7E5CA413F
SHA256: 900A21C862973294AB25A8966299386BD058A352CEA21CA97BA546DA12964465
To promote my Hack In The Box Wireshark training, I’ll start to publish some Lua dissectors.
Here is a screenshot of my TCP Flags dissector. It was generated (and adapted) with my Wireshark Lua dissector generator. It displays TCP flags like Snort does.
You can clearly see the SYN – SYN/ACK – ACK phase of the first TCP connection (packets 1, 2 and 3).
I’m taking SANS’ “SEC503 Intrusion Detection In-Depth” class here in Brussels.
One of the exercises consisted of extracting the passwords from a capture file of a FTP password dictionary attack.
I was at an advantage for this exercise 😉 I have a Lua script for Wireshark that extracts credentials (HTTP and FTP in this release).
Notice that some entries have no username. A closer look at the capture file with Wireshark revealed missing segments (with the USER admin FTP command).
wireshark-tools-v0_0_1.zip (https)
MD5: 30232A81CBD0DEE275C2A3CDAF7E333C
SHA256: E45CE8AF5417A8A1C857FDF84F2FD92860738CF2E723A64A730F606D2C495064