Wireshark for Security Professionals

Introduction xiii

1. Introducing Wireshark 1
What Is Wireshark? 2
A Best Time to Use Wireshark? 2
Avoiding Being Overwhelmed 3
The Wireshark User Interface 3
Packet List Pane 5
Packet Details Pane 6
Packet Bytes Pane 8
Filters 9
Capture Filters 9
Display Filters 13
Summary 17
Exercises 18

2. Setting Up the Lab 19
Kali Linux 20
Virtualization 22
Basic Terminology and Concepts 23
Benefi ts of Virtualization 23
VirtualBox 24
Installing VirtualBox 24
Installing the VirtualBox Extension Pack 31
Creating a Kali Linux Virtual Machine 33
Installing Kali Linux 40
The W4SP Lab 46
Requirements 46
A Few Words about Docker 47
What Is GitHub? 48
Creating the Lab User 49
Installing the W4SP Lab on the Kali Virtual Machine 50
Setting Up the W4SP Lab 53
The Lab Network 54
Summary 55
Exercises 56

3. The Fundamentals 57
Networking 58
OSI Layers 58
Networking between Virtual Machines 61
Security 63
The Security Triad 63
Intrusion Detection and Prevention Systems 63
False Positives and False Negatives 64
Malware 64
Spoofing and Poisoning 66
Packet and Protocol Analysis 66
A Protocol Analysis Story 67
Ports and Protocols 71
Summary 73
Exercises 74

4. Capturing Packets 75
Sniffi ng 76
Promiscuous Mode 76
Starting the First Capture 78
TShark 82
Dealing with the Network 86
Local Machine 87
Sniffi ng Localhost 88
Sniffi ng on Virtual Machine Interfaces 92
Sniffi ng with Hubs 96
SPAN Ports 98
Network Taps 101
Transparent Linux Bridges 103
Wireless Networks 105
Loading and Saving Capture Files 108
File Formats 108
Ring Buffers and Multiple Files 111
Recent Capture Files 116
Dissectors 118
W4SP Lab: Managing Nonstandard HTTP Traffi c 118
Filtering SMB Filenames 120
Packet Colorization 123
Viewing Someone Else s Captures 126
Summary 127
Exercises 128

5. Diagnosing Attacks 129
Attack Type: Man–in–the–Middle 130
Why MitM Attacks Are Effective 130
How MitM Attacks Get Done: ARP 131
W4SP Lab: Performing an ARP MitM Attack 133
W4SP Lab: Performing a DNS MitM Attack 141
How to Prevent MitM Attacks 147
Attack Type: Denial of Service 148
Why DoS Attacks Are Effective 149
How DoS Attacks Get Done 150
How to Prevent DoS Attacks 155
Attack Type: Advanced Persistent Threat 156
Why APT Attacks Are Effective 156
How APT Attacks Get Done 157
Example APT Traffi c in Wireshark 157
How to Prevent APT Attacks 161
Summary 162
Exercises 162

6. Off ensive Wireshark 163
Attack Methodology 163
Reconnaissance Using Wireshark 165
Evading IPS/IDS 168
Session Splicing and Fragmentation 168
Playing to the Host, Not the IDS 169
Covering Tracks and Placing Backdoors 169
Exploitation 170
Setting Up the W4SP Lab with Metasploitable 171
Launching Metasploit Console 171
VSFTP Exploit 172
Debugging with Wireshark 173
Shell in Wireshark 175
TCP Stream Showing a Bind Shell 176
TCP Stream Showing a Reverse Shell 183
Starting ELK 188
Remote Capture over SSH 190
Summary 191
Exercises 192

7. Decrypting TLS, Capturing USB, Keyloggers, and Network Graphing 193
Decrypting SSL/TLS 193
Decrypting SSL/TLS Using Private Keys 195
Decrypting SSL/TLS Using Session Keys 199
USB and Wireshark 202
Capturing USB Traffi c on Linux 203
Capturing USB Traffi c on Windows 206
TShark Keylogger 208
Graphing the Network 212
Lua with Graphviz Library 213
Summary 218
Exercises 219

8. Scripting with Lua 221
Why Lua? 222
Scripting Basics 223
Variables 225
Functions and Blocks 226
Loops 228
Conditionals 230
Setup 230
Checking for Lua Support 231
Lua Initialization 232
Windows Setup 233
Linux Setup 233
Tools 234
Hello World with TShark 236
Counting Packets Script 237
ARP Cache Script 241
Creating Dissectors for Wireshark 244
Dissector Types 245
Why a Dissector Is Needed 245
Experiment 253
Extending Wireshark 255
Packet Direction Script 255
Marking Suspicious Script 257
Snooping SMB File Transfers 260
Summary 262

Index 265