Now, Wireshark is very similar to TCPDump, in fact, a lot of people actually prefer Wireshark to TCPDump, but I look at them as two completely different utilities. TCPDump is fantastic for creating scripts, going through and doing large packet captures on systems and Wireshark is a lot better at doing analysis of systems using a full GUI interface.
So let’s dive right in. So we can go into applications and we can go to internet and we can select Wireshark. Once we’re in Wireshark, Wireshark has the ability to list out all of the interfaces on the system. This is once again very similar to what we saw with the TCPDump video with the
-D. I can choose any of the interfaces and it’ll pop up and it’ll say, “hey you need to be running this as root.”
So what I’m going to do is do
sudo wireshark and it’s going to ask me for my password. So alright, when we first get into Wireshark you’re going to be able to see all of your interfaces.
So down here, if I can zoom in you can see that we have ens33 sending some traffic.
So I can double click that and it’s automatically going to start sniffing on that particular interface. There’s not a lot going on, however, if I actually start up another terminal I can send a ping once again to 22.214.171.124 and then whenever we go back to Wireshark, you can actually see those ICMP echo requests going through. So pretty snifty to actually be able to see your traffic once again.
Another thing with Wireshark is, if you actually select any of these packets, it’s going to break down the actual hexadecimal decode here or the hacks and if you highlight over certain sections and click on the sections within the hacks, it’s going to decode what that is in the middle window.
So let’s go ahead and zoom in on that just a little bit. So if you select this section it says that this is the individual address unicast you can see this is the A and Mac addresses this is in VMware. If I get down to the bottom, this is the actual payload of what’s being sent. And with an ICMP echo request and reply on most Linux systems, it’s going to send an ICMP echo request with a payload of 0 1 2 3 4 5 6 7.
So that’s pretty neat.
Now, let’s actually go through and open up a file. I’m going to stop my sniff by clicking the little stop button and I’m going to go file, open, recent and I’m going to open up the actual pcap backdoor. I’m going to continue without saving. Now, this is actually a packet capture from a compromised computer system and this will give me the ability to dig in a little bit on some of the cool things that I can do with Wireshark.
So, if I can take any one of these packets right, a packet doesn’t necessarily exist in most communications, it’s just an individual thing. Some protocols like UDP and ICMP are very very much nonstateful. However, with most TCP protocols, they’re stateful.
So I’m going to send a packet to a system and it’s going to respond. This is going to be a conversation. I can right-click on any one of these different packets and I can actually go through and apply filters. I can apply a conversation filter or I can look at the individual streams themselves.
What I’m going to do, is I going to do follow TCP strength and this is going to give me the actual communication between these two systems and it’s going to display it in such a way that it’s easy for me to understand what’s going on.
Now, this is clear text HTTP, if it’s encrypted you’re going to see the encrypted data. But you can see that what was being sent between these two systems in this HTTP request, was a get request with our actual command and control data for a backdoor and then an HTTP okay response came back. Now, whenever I applied that, you can see that each of the streams has number values and in this situation, Wireshark said, “I want you to look at just the stream equal 0.” I can clear that out by hitting the little x right here.
The next thing I can do is I can look at some really cool statistics in a packet capture. I can do statistics and then I can look at all of the endpoints that are communicating in this particular packet capture. This allows me if I’m doing threat hunting or doing troubleshooting, to make sure that the IP address that I’m looking for is actually in this communication capture file that I have here as well.
Other things I can do is I can look at statistics and I can actually look at the conversations, how much data is being sent in between these different IP addresses.
So, what’s the address A, what’s the port that’s being used and who is that system actually talking to? How many packets are being sent and how much data is being sent as well? This will allow you to focus in on your top talkers on the network.
Finally, you can look at statistics and you can go through and look at protocol hierarchy as well.
So protocol hierarchy will actually breakdown the actual protocols that are being used in this particular packet capture itself. And in this situation you can see that we have ethernet, we have IPV4, we have some net bios traffic but we also have some TCP and some HTTP traffic as well.
Now the reason why you would do this, honestly, is because if you’re trying to break down a packet capture and you’re trying to understand what a system or a series of systems is doing, it really helps to kind of step back and say okay who’s talking with whom and then drill down to the specific IP address or IP addresses that you’re looking forward to talking to as well.
Finally, you can do statistics and you can actually look at the HTTP conversations as well and this will actually show you the HTTP requests that are being sent into the computers.
So this is just a quick overview of Wireshark, once again it isn’t meant to be exhaustive, but this is definitely a start for people that have never used Wireshark. Once again we’re using the security onion because we absolutely love that distribution and everything that they do because all these tools are built-in and yes you can get Wireshark for Mac and for Windows as well. I can’t wait to see you in the next video!
Join the BHIS Blog Mailing List – get notified when we post new blogs, webcasts, and podcasts.