TSHARK CHEET SHEEP USES FOR PENTESTERS

This post shows a series of examples of the “tshark” command using it for different purposes, the examples shown below are specific to see interesting information regarding a particular protocol.

  • Intrusion detection
  • Capture of credentials/hashes
  • Capture of suspicious traffic
  • etc…

Before we start we need to know a couple of details about tshark. It uses different parameters depending on the type of filter it receives, as it can understand Wireshark filters on the one hand, and libpcap specific ones on the other.

You can see them with the command: “tshark -help “.

1
2
3
4
5
6
7
-f <capture filter> packet filter in libpcap filter syntax
-Y <display filter>, --display-filter <display filter>, --display-filter <display filter>, --display-filter <display filter>.
                        packet displaY filter in Wireshark display filter
-o <name>:<value> ...    override preference setting
-e <field> field to print if -Tfields selected 
-R <read filter>, --read-filter <read filter>, --read-filter <read filter>.
                        packet Read filter in Wireshark display filter syntax

These are some of the generic parameters that tshark works with

Write a pcap file

  • tshark -w file_putpu.pcap

Read a pcap file:

  • tshark -r file-to-read.pcap

It is important to know the filter syntax to use, especially when combining filters to do specific searches on the analyzed traffic.

The display filter

  • tcp.port in {80 443 8080} is equivalent to: *tcp.port == 80 || tcp.port == 443 || tcp.port == 8080
  • However, the display filter tcp.port in {443 4430..4434} is not equivalent to: tcp.port == 443 || (tcp.port >= 4430 && tcp.port <= 4434)

From here we will differentiate by protocols the different tshark commands.

ARP

ARP is useful for identifying hosts on a network and the communication between them. The command below shows the IP and MAC addresses of both the source and destination of the communication established at the ARP level, it can be useful for LAN monitoring purposes to use it with a white/black-list of MAC addresses.

1
sudo tshark -f "ether proto \arp" -Tfields -e arp.src.proto_ipv4 -e arp.src.hw_mac -e arp.dst.proto_ipv4 -e arp.dst.hw_mac

TCP

We analyze those requests with the SYN-ACK flag to detect that they have responded to a tcp request from there we will detect who is trying to access which active port in particular:

1
sudo tshark -Y "tcp.flags == 0x012" -Tfields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport

DNS

1
sudo tshark -f "src port 53" -n -T fields -e dns.qry.name -e dns.a

FTP

In the FTP response codes, we find a 230, when the login has been successful, validating the credentials used.

1
2
3
sudo tshark -Y 'ftp' -Tfields -e ftp.request.arg -e ftp.request.command -e ftp.response.code 

sudo tshark -f "ftp.response.code == 230" -Tfields -e ftp.request.arg -e ftp.request.command -e ftp.response.code

HTTP

In this case the utility is not very big, most web services include an SSL certificate, becose we are in 2023 and not in 1902. Later we will see that really if we have the certificate it is easy to decipher this information and treat it.

1
sudo tshark -f "src port 80" -n -T fields -e http.request.uri -e http.response.code

NTLMSSP

Many times we delegate to third party tools what we can obtain with simple tshark commands, NTLM hashes travel through the network as one more element and understanding the parts that conform it is of great help to be able to work against the protocol.

1
2
sudo tshark -Tfields -Y "ntlmssp" -e "ntlmssp.auth.username" -e "ntlmssp.ntlmv2_response" -e "ntlmssp.ntlmserverchallenge" -e "ntlmssp.challenge.target_info" 
hashcat -m 5600 hash.txt dicc.txt