Practical CEH Notes & Tools
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • ๐Ÿ““Practical Ethical Hacker Notes
    • ๐Ÿ“šMain Contents
      • 2 - Footprinting & Recon
      • 3 - Scanning Networks
      • 4 - Enumeration
      • 5 - Vulnerability Analysis
      • 6 - System Hacking
      • 7 - Malware
      • 8 - Sniffing
      • 10 - DoS
      • 11 - Session Hijacking
      • 13 - Hacking Web Servers
      • 14 - Hacking Web Apps
      • 15 - SQL Injection
      • 16 - Hacking Wireless
      • 17 - Hacking Mobile
      • 18 - IoT and OT Hacking
      • 19 - Cloud Computing
      • 20 - Cryptography
    • ๐Ÿ‘จโ€๐ŸŽ“Study Walkthrough
      • ๐ŸงชLabs and Training
    • Tools ๐Ÿ› ๏ธ
      • ๐Ÿค–Adb tool
      • ๐Ÿ”BCTextEncoder
      • ๐ŸŸงBurp Suite
      • ๐Ÿ‘จโ€๐Ÿ’ปCewl
      • ๐Ÿ“Crunch
      • ๐Ÿ—ƒ๏ธDirb
      • ๐ŸงEnum4linux
      • ๐Ÿ”—Gobuster
      • ๐Ÿ”“Hashcalc
      • ๐Ÿ˜บHashcat
      • ๐Ÿ‘‰Hping3
      • ๐Ÿ‰Hydra
      • ๐ŸฅทJohn the Ripper
      • โ“‚๏ธMetasploit
      • 5๏ธโƒฃMd5 Calculator
      • ๐Ÿ‘ฝNikto
      • ๐Ÿ‘๏ธNmap
      • ๐Ÿ–ผ๏ธOpenstego
      • ๐ŸŽจQuickStego
      • ๐ŸŒˆRainbowCrack
      • โ†—๏ธResponder LLMNR
      • ๐Ÿ•ท๏ธSearchsploit
      • โ›„Snow
      • ๐ŸŒ€Stego
      • ๐Ÿ’‰SQLMap
      • โš™๏ธSteghide
      • โš—๏ธStegimage
      • ๐Ÿ”‘Veracrypt
      • ๐ŸฆˆWireshark or Tcpdump
      • ๐Ÿ”WPScan
      • โšกZap
Powered by GitBook
On this page
  • Wireshark
  • Filters CheatSheet
  • TShark
  • Password sniffing using Wireshark
  • Additional Resources
  1. Practical Ethical Hacker Notes
  2. Tools ๐Ÿ› ๏ธ

Wireshark or Tcpdump

https://www.kali.org/tools/wireshark/ https://www.kali.org/tools/tcpdump/

Wireshark

wireshark -i eth1

# Filter by ip
ip.add == 10.10.10.9

# Filter by dest ip
ip.dest == 10.10.10.15

# Filter by source ip
ip.src == 10.10.16.33

# Filter by tcp port
tcp.port == 25

# Filter by ip addr and port
ip.addr == 10.10.14.22 and tcp.port == 8080

# Filter SYN flag
tcp.flags.syn == 1 and tcp.flags.ack ==0

# Broadcast filter
eth.dst == ff:ff:ff:ff:ff:ff

Filters CheatSheet

TShark

tshark -D
tshark -i eth1
tshark -r <FILE>.pcap
tshark -r <FILE>.pcap | wc -l

# First 100 packets
tshark -r <FILE>.pcap -c 100

# Protocl hierarchy statistics
tshark -r <FILE>.pcap -z io,phs -q

# HTTP traffic
tshark -r <FILE>.pcap -Y 'http' | more
tshark -r <FILE>.pcap -Y "ip.src==<SOURCE_IP> && ip.dst==<DEST_IP>"

# Only GET requests
tshark -r <FILE>.pcap -Y "http.request.method==GET"

# Packets with frame time, source IP and URL for all GET requests
tshark -r <FILE>.pcap -Y "http.request.method==GET" -Tfields -e frame.time -e ip.src -e http.request.full_uri

# Packets with a string
tshark -r <FILE>.pcap -Y "http contains password"

# Check destination IP
tshark -r <FILE>.pcap -Y "http.request.method==GET && http.host==<TARGET_URL>" -Tfields -e ip.dst

# Check session ID
tshark -r <FILE>.pcap -Y "ip contains amazon.in && ip.src==<IP>" -Tfields -e ip.src -e http.cookie

# Check OS/User Agent type
tshark -r <FILE>.pcap -Y "ip.src==<IP> && http" -Tfields -e http.user_agent

# WiFi traffic filter
tshark -r <FILE>.pcap -Y "wlan"

# Only deauthentication packets 
tshark -r <FILE>.pcap -Y "wlan.fc.type_subtype==0x000c"
# and devices
tshark -r <FILE>.pcap -Y "wlan.fc.type_subtype==0x000c" -Tfields -e wlan.ra

# Only WPA handshake packets
tshark -r <FILE>.pcap -Y "eapol"

# Onyl SSID/BSSID
tshark -r <FILE>.pcap -Y "wlan.fc.type_subtype==8" -Tfields -e wlan.ssid -e wlan.bssid

tshark -r <FILE>.pcap -Y "wlan.ssid==<SSID>" -Tfields -e wlan.bssid

# WiFi Channel
tshark -r <FILE>.pcap -Y "wlan.ssid==<SSID>" -Tfields -e wlan_radio.channel

# Vendor & model
tshark -r <FILE>.pcap -Y "wlan.ta==<DEVICE_MAC> && http" -Tfields -e http.user_agent
# ARP POISONING - arpspoof

## Forward IP packets
echo 1 > /proc/sys/net/ipv4/ip_forward
# arpspoof -i <interface> -t <target> -r <host>
arpspoof -i eth1 -t <TARGET_IP> -r <HOST_IP>

Others Notes

#To find DOS (SYN and ACK)
tcp.flags.syn == 1  , tcp.flags.syn == 1 and tcp.flags.ack == 0

#To find passwords
http.request.method == POST

#More reference
https://www.comparitech.com/net-admin/wireshark-cheat-sheet/

#To find DOS: look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port(As per question)
#To find DOS (SYN and ACK) : tcp.flags.syn == 1  , tcp.flags.syn == 1 and tcp.flags.ack == 0
#To find passwords : http.request.method == POST

Password sniffing using Wireshark

Attacker

  • Stop capture

  • File-&gt;Save as

  • Filter: http.request.method==POST

  • RDP log in Target

  • service

  • start Remote Packet Capture Protocol v.0 (experimental)

  • Log off Target

  • Wireshark-&gt;Capture options-&gt;Manage Interface-&gt;Remote Interfaces

  • Add a remote host and its interface

  • Fill info

Additional Resources

PreviousVeracryptNextWPScan

Last updated 1 year ago

๐Ÿ““
๐Ÿฆˆ
https://www.youtube.com/watch?v=4_7A8Ikp5Cc
wireshark | Kali Linux ToolsKali Linux
tcpdump | Kali Linux ToolsKali Linux
Ethical-Hacking-Labs/TCPDump-Tutorial.md at master ยท Samsar4/Ethical-Hacking-LabsGitHub
TCPDUMP Tutorial
https://github.com/Samsar4/Ethical-Hacking-Labs/blob/master/9-Denial-of-Service/3-Detecting-DoS-Traffic.md
Detecting DoS Attack traffic
Logo
How to Use Wireshark: Comprehensive Tutorial + TipsVaronis
Wireshark Tutorial and Tactical Cheat Sheet | HackerTarget.comHackerTarget.com
How to Use Wireshark: A Complete TutorialLifewire
Logo
Wireshark Cheat Sheet - Commands, Captures, Filters, Shortcuts & FAQsComparitech
Logo
https://medium.com/hacker-toolbelt/wireshark-filters-cheat-sheet-eacdc438969chttps://github.com/security-cheatsheet/wireshark-cheatsheetmedium.com
How to Use Wireshark to Capture, Filter and Inspect PacketsHow-To Geek
Wireshark Tutorial: Network & Passwords SnifferGuru99
A tcpdump Tutorial with Examples โ€” 50 Ways to Isolate TrafficDaniel Miessler
Logo
Tcpdump Examples - 22 Tactical Commands | HackerTarget.comHackerTarget.com
An introduction to using tcpdump at the Linux command lineOpensource.com
Logo
Logo
Logo
Logo
Logo
Logo
Logo
Logo