Threat Hunting With Tshark

Threat Hunting with Tshark

Project Name: Threat Hunting with Tshark

Description: – Whomsoever you are a threat hunting engineer or a security/network administrator, it’s your core requirement to analyze network traffic which is a routine part of cyber defense activity. When we talk about network capture, Wireshark is the first thing that comes to mind, widely known for its in-depth analysis on network layer. Wireshark requires a graphic user interface (GUI). If you are in a threat hunting domain you have to work on black screens named as the shell. However, if you are Wireshark follower, you can use Wireshark in the shell. Tshark is Wireshark Command-Line Tool. So, a passive threat hunter should prefer using Tshark .

Author: Rohit D Sadgune / Amruta Sadgune

FAQ:-

  1. Network threat hunting using Tshark
  2. Threat hunting with live network traffic
  3. Threat hunting with packet captured files
  4. Network threat hunting attributes
  5. Types of network threat hunting
  6. Complete reference guide for Tshark

Types of Network Threat Hunting

Active Hunting: It is the type of network threat hunting where the hunters hunt for adversaries in real-time.

Passive Hunting: In this type of threat hunting, threat hunters leverage transacted traffic to look back across the infrastructure to hunt if a adversary exists that was not previously detected.

Benefits of Threat Hunting Your Using Tshark.

  Tshark can be useful in hunting for following scenarios.

  • Hunt for persistent communication or beaconing on East-West & North-South traffic.
  • Investigation of the protocol to service being used.
  • Inspect the status of the destination to which communication is going.
  • Inspect the status of the source from which the communication is coming.

Tshark Details

Tshark  is a network protocol investigation tool. It helps threats hunters to capture packet data from a live network, or read packets from the earlier saved captured file. Tshark ‘s native record file format is libpcap, which is also the format used by tcpdump and various other tools.

Tshark also uses pcap library to capture traffic from the available network interface and represents an abstracted lines of each received packets. Tshark  is able to detect, read and write the same captured files that are supported by Wireshark.

Please find below the network traffic attributes / fields used in Tshark  for threat hunting exercise.



direction
ethiptcpudp
sourcesrcsrcsrcportsrcport
destinationdstdstdstportdstport
eitheraddraddrportport

A selection of fetch (-f switch) filters

SpecifierDescription
host4 decimal digit dot separated IP address

netA range of 4 decimal digit dot separate IP address
src netFrom a range of IP addresses
dstTo a range of IP addresses
maskTo apply to IP address
arpAddress Resolution Protocol
ether protoethernet type field
ether dstethernet MAC address of destination
broadcastBroadcast message across the network
multicastethernet multicast packet
tcp portrangeHyphen (-) separated range of TCP port numbers
dst portDestination port number
tcp portTCP port number
ipAll IPv4 traffic
notNOT the following
andlogical AND of the two adjacent parameters
orlogical OR of the two adjacent parameters

A selection of display (-Y switch) filters

frame.time relativeRelative packet time stamp
frame.lenLength of the packet
frame.protocolsProtocol to which the packet belongs
frame.numberPacket number in the data stream
ip.srcSender’s IP address
ip.dstReceiver’s IP address
ip.lenlength of the IP packet
tcp.srcportTCP source port
tcp.dstportTCP destination port
udp.portUDP port number
col.InfoReceived packet’s content
http.response.codeHTTP response code number
||logical OR

Passive Threat Hunting with Tshark

Active Hunting — Threat Hunting with Live Network Traffic

RDS-HUNT# Tshark  -i any :- For capturing traffic on all interfaces.

RDS-HUNT# Tshark  -f “host 192.168.1.12 and (dst port 80 or 443)” :- This command uses the traditional “pcap” filter to select what to capture from your interface.

RDS-HUNT#  Tshark  -Y “dns.qry.name==”hackforlab.com”” :- This command will help you to capture DNS traffic fo specific domain. (Here we have seleted hackforlab.com)

RDS-HUNT# Tshark -i eth0 -f “tcp port 22 and not src host 192.168.1.12” :- This command will help you to capture all SSH traffic, except “192.168.1.2” IP-Address.

RDS-HUNT# Tshark  -i eth0 -Y http.request -T fields -e http.host -e http.user_agent :- This command will extract only http request data from eth0 interface.

RDS-HUNT# Tshark  -i eth0 -f “src port 53” -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr :- This command will extract source address, destination address, DNS request, DNS response from eth0 interface.

RDS-HUNT# Tshark  -w dhcp_attack_hunt.pcap -f “port 67 or port 68” -i eth0 -P :- This command will help you to extract only DHCP packets.

RDS-HUNT# Tshark  -i eth0 -Y “(tcp.dstport >= 1024 and tcp.dstport < 10000) or udp” :- This command will help you to display UDP traffic of non-standard port with rage of 1045 – 10000.

RDS-HUNT# Tshark  -i eth0 -Y “http.request.uri contains string(ip.dst)” :- This command will help you to hunt for client’s direct web access packets for local network.

RDS-HUNT# Tshark  -i eth0 -Y “tcp.flags.fin==1” :- This command will help you to capture TCP traffic for FIN flag.

RDS-HUNT# Tshark  -s 1024 -i eth0 -n -f ‘tcp dst port 80’ -R & lt ‘http.host and http.request.uri’ -T fields -e http.host -e http.request.uri -l | TR – d’\t’  Note: -s: only capture the first 1024 bytes; -i: capture the eth0 network card; -n: disable network object name resolution; -f: only capture the protocol as tcp and the destination port as 80; -R : Filter out http.host and http.request.uri; -T,-e: refers to printing these two fields; -I: output to the command line interface; This command will help you to hunt for HTTP protocol stream related information

RDS-HUNT# Tshark  -s 512- i eth0 -n -f’tcp dst port 3306′ -R’mysql.query’ -T fields -e mysql.query :- Thic command will help you to hunt the current mysql query statement in real time. (-R: Filter out mysql query statements)

RDS-HUNT# Tshark  -r test.cap -R'(smpp.command_id==0x80000004) and (smpp.command_status==0x0)’ -e smpp.message_id -e frame.time -T fields -E header=y >test.txt :- This command will help you to hunt smpp protocol header and value

RDS-HUNT# Tshark  -s 0 -i eth1 -n -f’tcp dst port 80′ -R’http.host and http.request.uri’ -T fields -e http.host -e http.request.uri -l -c 200 :- This command will extract 200 packet and print out the visited URL

RDS-HUNT# Tshark  -n -ta Fields -e ssl -T -R & lt “ip.src” -e “ssl.app_data” -e http.request.uri -l -c 200 :- This command will extract 200 packet and print out the visited SLL URL.

RDS-HUNT# Tshark  ‘tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)’ -R ‘http.request.method == “GET” || http.request.method == “HEAD” || http.request.method == “POST”‘ :- This command will help you to sniff HTTP request based on GET, HEAD, POST method.

RDS-HUNT# Tshark  -i 2 -f ‘port 110’ -R ‘pop.request.parameter contains ‘user” > /tmp/pop_hunting.pcap :- captures all port 110 traffic and filters out the ‘user’ command and saves it to a PCAP file

RDS-HUNT# Tshark  -Y “ip.addr != 192.168.1.144 && ip.len < 1800” \ -Y “ip.src == 192.168.4.51” :- This command will display all packets coming from 192.168.4.51 except to 192.168.1.144 and have length less than 1800 bytes.

Passive Hunting — Threat Hunting with Packet Captured Files.

RDS-HUNT# Tshark  -r dns_port.pcap :-  Command to read PCAP file

RDS-HUNT# Tshark  -nr Network-Hunting.pcap -qz “io,phs” :- This command will help you to get details on protocol hierarchy statistics.

RDS-HUNT# Tshark  -q -r Network-Hunting.pcap -Y http -z http,tree :- This command will help you hunt for statistics for a Specific Protocol. (Here we have selected HTTP protocol)

RDS-HUNT#  Tshark  -T fields -e frame.number -e ip.addr -e ip.len -r RDS.pcap :- This command will help you to analyze the address and length of each of those IP packets as they occur on the network to which the computer running this command is connected.

RDS-HUNT# Tshark  -r arp-storm.pcap -z conv,tcp  :- Command will help you to hunt only TCP communications

RDS-HUNT# Tshark  -r Evidence06.pcap -z conv,ip :- This command will help you to hunt for all IP conversation.

RDS-HUNT# Tshark  -r dns_port.pcap ip.host==”192.168.1.4″ :- List of packets with a specific source IP address from DNS captured PCAP.

RDS-HUNT# Tshark  -r dns_port.pcap ip.dst==”192.168.1.4″ :- List of packets with a specific destination IP address from DNS captured PCAP.

RDS-HUNT# Tshark  -r Malware-Traffic-hunting-1.pcap/malware-hunting.pcap  -T fields -e ip.src -e ip.dst :- This command will help you to extract fields source address and destination address.

RDS-HUNT# Tshark  -r Network-Hunting.pcap -T fields -e http.user_agent | grep python :- This command will help you to hunt for python user agent.

RDS-HUNT# Tshark  -r Network-Hunting.pcap -T fields -e http.user_agent | sort | uniq :- This command will give you the unique user-agent used for communications.

RDS-HUNT# Tshark  -nr Network-Hunting.pcap  -V  :- Get packet details in tree format.

RDS-HUNT# Tshark  -r a.pcap -2 -R “tcp.port==80″ -E header=y -E separator=/t  -e eth.src -e ip.src -e ip.dst -T fields -e tcp.port -E aggregator=”/s” | more :- This command will help you to hunt for source, destination and port details.

RDS-HUNT# Tshark  -r 4-SL.pcap -2 -R “frame contains \”php\”” -V | more :- This command will help you to get frame by frame details which contain PHP.

RDS-HUNT# Tshark  -r Evidence01.pcap -Y “http” | grep -i portal | more  :-  This command will help you to hunt for http portal based traffic.  

RDS-HUNT# Tshark  -r 10- Evidence01.pcap -Y “http.referer == \”https:\/\/hackforlab.com\/p\/ Evidence01\/\”” -T fields -e “http.referer”| more – This command will help you to analyze referrer based traffic of hackforlab.com domain.

RDS-HUNT# Tshark  -r Network-Hunting.pcap -T fields -e ip.src -e ip.dst ip.dst==192.168.1.10 | head:- -T fields & -e to identify which specific fields to print.

RDS-HUNT# Tshark  -r /tmp/threat_hunt.pcap -T fields -e ip.src -e ip.dst | awk -F ” ” ‘{print $1″\n”$2″\n”}’ | sort | uniq | grep -v “^$” > /tmp/passive_hunt.txt: – This command will help you passively hunt to collect all source and destination IPs in unique and sorted and save a file.

RDS-HUNT# Tshark  -r dns_port.pcap -T fields -e frame.number -e frame.encap_type -e frame.protocols -e frame.len -e ip.addr -E separator=, -E quote=d > passive_threat_hunt.csv :- This command will help you to hunt for important fileds from PCAP files and store that fields value in passive_threat_hunt.csv file.

RDS-HUNT# Tshark  -2 -r Evidence01.pcap -R “http.request.line || http.file_data || http.response.line” -T fields -e http.request.line- e http.file_data -e http.response.line -E header=y :- This command will help you to analyze the request header, response header, and response data of the http protocol.

RDS-HUNT# Tshark  -r Network-Hunting.pcap -T fields -E header=y -E separator=, -E quote=d -E occurrence=f -e ip.version -e ip.hdr_len -e ip.tos -e ip.id -e ip.flags -e ip.flags.rb -e ip.flags.df -e ip.flags.mf -e ip.frag_offset -e ip.ttl -e ip.proto -e ip.checksum -e ip.src -e ip.dst -e ip.len -e ip.dsfield -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.ack -e tcp.len -e tcp.hdr_len -e tcp.flags -e tcp.flags.fin -e tcp.flags.syn -e tcp.flags.reset -e tcp.flags.push -e tcp.flags.ack -e tcp.flags.urg -e tcp.flags.cwr -e tcp.window_size -e tcp.checksum -e tcp.urgent_pointer -e tcp.options.mss_val :- Thic ommand will help you to hunt and extract most valuable field from network traffic captured PCAP file.

RDS-HUNT# tshark -r Evidence06.pcap -T fields -E header=y -E separator=, -E quote=d -E occurrence=f -e ip.src -e ip.dst -e ip.len -e ip.flags.df -e ip.flags.mf -e ip.fragment -e ip.fragment.count -e ip.fragments -e ip.ttl -e ip.proto -e tcp.window_size -e tcp.ack -e tcp.seq -e tcp.len -e tcp.stream -e tcp.urgent_pointer -e tcp.flags -e tcp.analysis.ack_rtt -e tcp.segments -e tcp.reassembled.length -e dtls.handshake.extension.len -e dtls.handshake.extension.type -e dtls.handshake.session_id -e dtls.handshake.session_id_length -e dtls.handshake.session_ticket_length -e dtls.handshake.sig_hash_alg_len -e dtls.handshake.sig_len -e dtls.handshake.version -e dtls.heartbeat_message.padding -e dtls.heartbeat_message.payload_length -e dtls.heartbeat_message.payload_length.invalid -e dtls.record.content_type -e dtls.record.content_type -e dtls.record.length -e dtls.record.sequence_number -e dtls.record.version -e dtls.change_cipher_spec -e dtls.fragment.count -e dtls.handshake.cert_type.types_len -e dtls.handshake.certificate_length -e dtls.handshake.certificates_length -e dtls.handshake.cipher_suites_length -e dtls.handshake.comp_methods_length -e dtls.handshake.exponent_len -e dtls.handshake.extension.len -e dtls.handshake.extensions_alpn_str -e dtls.handshake.extensions_alpn_str_len -e dtls.handshake.extensions_key_share_client_length -e http.request -e udp.port -e frame.time_relative -e frame.time_delta -e tcp.time_relative -e tcp.time_delta > network-traffic-investigation.csv :- This ommand will help you to investigate and export most valuable field from network traffic captured PCAP file.

RDS-HUNT# tshark -r mta1.pcap -Y “tcp.flags.syn eq 1” -T fields -E header=y -E separator=, -E quote=d -E occurrence=f -e ip.version -e ip.hdr_len -e ip.tos -e ip.id -e ip.flags -e ip.flags.rb -e ip.flags.df -e ip.flags.mf -e ip.frag_offset -e ip.ttl -e ip.proto -e ip.checksum -e ip.src -e ip.dst -e ip.len -e ip.dsfield -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.ack -e tcp.len -e tcp.hdr_len -e tcp.flags -e tcp.flags.fin -e tcp.flags.syn -e tcp.flags.reset -e tcp.flags.push -e tcp.flags.ack -e tcp.flags.urg -e tcp.flags.cwr -e tcp.window_size -e tcp.checksum -e tcp.urgent_pointer -e tcp.options.mss_val > network-traffic-investigation-1.csv :- If you want to filter traffic & you only need the first packet of each network conversation, you can use a filter using the -Y option.

Core Working Areas :- Threat Intelligence, Digital Forensics, Incident Response, Fraud Investigation, Web Application Security Technical Certifications :- Computer Hacking Forensics Investigator | Certified Ethical Hacker | Certified Cyber crime investigator | Certified Professional Hacker | Certified Professional Forensics Analyst | Redhat certified Engineer | Cisco Certified Network Associates | Certified Firewall Solutions | Certified Network Monitoring Solution | Certified Proxy Solutions

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image