Extreme Hacking
Advanced Ethical Hacking Institute in Pune
This is going to be a fairly long tutorial on Wireshark. This is if you have had some sort of experience with wireshark and nmap, and you should have an above-average understanding of some basic protocols.
We will be covering some major scans including:
~ TCP SYN scan === nmap -sS
Explanation: Sends a SYN packet to an IP’s ports
~ TCP Christmas Scan === nmap -sX
Explanation: Sends a TCP packet with the flags PSH, URG, and FIN set
~ TCP Null Scan === nmap -sN
Explanation: Sends NO TCP flags (easy to detect)
~ TCP FIN Scan === nmap -sF
Explanation: Sends only a TCP FIN header
We will ONLY be covering TCP as it is the most common. If you’re interested in SCTP/UDP scans, feel free to PM me!’
We will be making our OWN color scheme. The default wireshark theme is never meant to be used. It’s malleable and meant to be played with.
Here is how we do that:
![[Image: ijAruJPOAJyOI.gif]](http://i.minus.com/ijAruJPOAJyOI.gif)
I’m going to set some of the default colors to my own.
Protocol – Background Color / Text Color
TCP – Dark Green / White
UDP – Dark Blue / White
ARP – Orange / Black
I have also set HTTP to Dark Green / Yellow off-camera.
This should color QUITE A BIT of the packets green and blue since 90% of them run on either TCP or UDP.
Here’s how:
![[Image: ik9XJOSlm4HNT.gif]](http://i.minus.com/ik9XJOSlm4HNT.gif)
1. Nmap SYN Scan (nmap -sS -v -n 192.168.1.1):
Alrightm so here is what the scan looks like in wireshark:
![[Image: 85705ce2d0e7c13c9d4e568e372d0d82.png]](http://gyazo.com/85705ce2d0e7c13c9d4e568e372d0d82.png)
Let’s look at the coloring rule and see why each is which. This is very easy.
Make sure the “Packet Details” panel is available. Click View -> Packet Details
The red is simple. It’s just a RST (reset) or RST ACK packet
Alright, now click on the packet you’d like to see and expand the “Frame” tag. Then you can look at the colorize rule and see exactly why it’s colored the way it is.
![[Image: e1f61ace8cf80bc17984ab979068511a.png]](http://gyazo.com/e1f61ace8cf80bc17984ab979068511a.png)
We can see that all of this grey is a TCP SYN packet. Hopefully you know that SYN requests are very common throught a network. When initiating a TCP connection (every time you visit a website), a SYN request is sent. So what makes this SYN request different than a normal SYN request?
NMAP SYN scans have a TCP window size of:
– 1024
– 2048
– 3072
– 4096
while normal SYN window sizes are usually much larger and vary constantly. So this is our key! We can also note that the FIN header is always on.
So, let’s write a rule. Here are some things you should note:
&& = and. Ex: tcp && udp = that will show something that has both TCP and UDP protocols
|| = or. Ex: tcp || udp = this will show anything that is either TCP OR UDP
! = not. Ex: !tcp = this will show everything that is NOT TCP protocol
That’s pretty much it!
So we know that it is TCP so let’s just make sure it’s TCP:
tcpAlright. So we also know that the TCP FIN header is also on. So let’s write that as well:
tcp && tcp.flags.fin ==1Alright, this may be just a little confusing if you’re not a coder. Basically, we want to see if the window size is any of the aforementioned window sizes. If any of them match (they can’t all match) then this will definitively prove a SYN scan without much chance for false positive. We are going to set this aside with () and will use || inside them. Let’s see:
tcp && tcp.flags.fin ==1 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)Here I show a real SYN request (grey) and a NMap SYN request (orange).
![[Image: ibgdhP8pXd4DrT.gif]](http://i.minus.com/ibgdhP8pXd4DrT.gif)
There we go! We have finished our first scan!!! Now we can detect a very basic TCP SYN Scan!!! Hoorah!
2. Christmas Scan (nmap -sX -v -n 192.168.1.1):
Alright, let’s see the packet as we scan it. Open any packet you find and look at the packet details 🙂
What do we notice?
- Flag size = 0x29 in hex in EVERY PACKET
- PSH, URG, FIN set in EVERY PACKET
- It runs on TCP
Alright, lt’s go ahead and write a simple rule based on what we’ve noticed:
It’s TCP only, right? Yes.
tcpNow lets make sure the flag size is 0x29
tcp && tcp.flags==0x29Now, lastly, we need to specify the headers that are set:
txp && tcp.flags==0x29 && tcp.flags.fin==1 && tcp.flags.push==1 && tcp.flags.urg==1And that’s our rule! That will detect a Xmas scan!
![[Image: ibpjEgncCyz3C4.gif]](http://i.minus.com/ibpjEgncCyz3C4.gif)
3. TCP Null Scan (nmap -sN -v -n 192.168.1.1):
This is a very obvious one to detect…
What do you notice?
- TCP Flags is 0. There are NONE SET
- Winddow size is the same as all the others (1024, 2048, 3072, 4096)
Again, let’s write the rule.
tcp
tcp && tcp.flags==0x00 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)Now you can follow the last 2 tutorials to add your own color-coded scheme 🙂
This one I want you to do yourself!
First write what you notice. Once you’re done, open the spoiler and see if you get the same things I have:
- Flags = 0x001
- Only the FIN bit is set
- Runs on TCP
- Windows size (1024, 2048, 3072, 4096)
Okay, once you’ve done that, try and write a simple rule!
tcp.flags==0x01 && tcp.flags.fin==1 && (tcp.window_size==1024 || tcp.window_size==2048 || tcp.window_size==3072 || tcp.window_size==4096)
www.extremehacking.org
CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE,Certified Ethical Hacking, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune