Project Name: Threat Hunting with Tshark
Description: – Whomsoever you are a threat hunting engineer or a security/network administrator, it’s your core requirement to analyze network traffic which is a routine part of cyber defense activity. When we talk about network capture, Wireshark is the first thing that comes to mind, widely known for its in-depth analysis on network layer. Wireshark requires a graphic user interface (GUI). If you are in a threat hunting domain you have to work on black screens named as the shell. However, if you are Wireshark follower, you can use Wireshark in the shell. Tshark is Wireshark Command-Line Tool. So, a passive threat hunter should prefer using Tshark .
Author: Rohit D Sadgune / Amruta Sadgune
FAQ:-
- Network threat hunting using Tshark
- Threat hunting with live network traffic
- Threat hunting with packet captured files
- Network threat hunting attributes
- Types of network threat hunting
- Complete reference guide for Tshark
Types of Network Threat Hunting
Active Hunting: It is the type of network threat hunting where the hunters hunt for adversaries in real-time.
Passive Hunting: In this type of threat hunting, threat hunters leverage transacted traffic to look back across the infrastructure to hunt if a adversary exists that was not previously detected.
Benefits of Threat Hunting Your Using Tshark.
Tshark can be useful in hunting for following scenarios.
- Hunt for persistent communication or beaconing on East-West & North-South traffic.
- Investigation of the protocol to service being used.
- Inspect the status of the destination to which communication is going.
- Inspect the status of the source from which the communication is coming.
Tshark Details
Tshark is a network protocol investigation tool. It helps threats hunters to capture packet data from a live network, or read packets from the earlier saved captured file. Tshark ‘s native record file format is libpcap, which is also the format used by tcpdump and various other tools.
Tshark also uses pcap library to capture traffic from the available network interface and represents an abstracted lines of each received packets. Tshark is able to detect, read and write the same captured files that are supported by Wireshark.
Please find below the network traffic attributes / fields used in Tshark for threat hunting exercise.
direction | eth | ip | tcp | udp |
| source | src | src | srcport | srcport |
| destination | dst | dst | dstport | dstport |
| either | addr | addr | port | port |
A selection of fetch (-f switch) filters
| Specifier | Description |
| host | 4 decimal digit dot separated IP address |
| net | A range of 4 decimal digit dot separate IP address |
| src net | From a range of IP addresses |
| dst | To a range of IP addresses |
| mask | To apply to IP address |
| arp | Address Resolution Protocol |
| ether proto | ethernet type field |
| ether dst | ethernet MAC address of destination |
| broadcast | Broadcast message across the network |
| multicast | ethernet multicast packet |
| tcp portrange | Hyphen (-) separated range of TCP port numbers |
| dst port | Destination port number |
| tcp port | TCP port number |
| ip | All IPv4 traffic |
| not | NOT the following |
| and | logical AND of the two adjacent parameters |
| or | logical OR of the two adjacent parameters |
A selection of display (-Y switch) filters
| frame.time relative | Relative packet time stamp |
| frame.len | Length of the packet |
| frame.protocols | Protocol to which the packet belongs |
| frame.number | Packet number in the data stream |
| ip.src | Sender’s IP address |
| ip.dst | Receiver’s IP address |
| ip.len | length of the IP packet |
| tcp.srcport | TCP source port |
| tcp.dstport | TCP destination port |
| udp.port | UDP port number |
| col.Info | Received packet’s content |
| http.response.code | HTTP response code number |
| || | logical OR |
Passive Threat Hunting with Tshark
Active Hunting — Threat Hunting with Live Network Traffic
RDS-HUNT# Tshark -i any :- For capturing traffic on all interfaces.
RDS-HUNT# Tshark -f “host 192.168.1.12 and (dst port 80 or 443)” :- This command uses the traditional “pcap” filter to select what to capture from your interface.
RDS-HUNT# Tshark -Y “dns.qry.name==”hackforlab.com”” :- This command will help you to capture DNS traffic fo specific domain. (Here we have seleted hackforlab.com)
RDS-HUNT# Tshark -i eth0 -f “tcp port 22 and not src host 192.168.1.12” :- This command will help you to capture all SSH traffic, except “192.168.1.2” IP-Address.
RDS-HUNT# Tshark -i eth0 -Y http.request -T fields -e http.host -e http.user_agent :- This command will extract only http request data from eth0 interface.
RDS-HUNT# Tshark -i eth0 -f “src port 53” -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr :- This command will extract source address, destination address, DNS request, DNS response from eth0 interface.
RDS-HUNT# Tshark -w dhcp_attack_hunt.pcap -f “port 67 or port 68” -i eth0 -P :- This command will help you to extract only DHCP packets.
RDS-HUNT# Tshark -i eth0 -Y “(tcp.dstport >= 1024 and tcp.dstport < 10000) or udp” :- This command will help you to display UDP traffic of non-standard port with rage of 1045 – 10000.
RDS-HUNT# Tshark -i eth0 -Y “http.request.uri contains string(ip.dst)” :- This command will help you to hunt for client’s direct web access packets for local network.
RDS-HUNT# Tshark -i eth0 -Y “tcp.flags.fin==1” :- This command will help you to capture TCP traffic for FIN flag.
RDS-HUNT# Tshark -s 1024 -i eth0 -n -f ‘tcp dst port 80’ -R & lt ‘http.host and http.request.uri’ -T fields -e http.host -e http.request.uri -l | TR – d’\t’ Note: -s: only capture the first 1024 bytes; -i: capture the eth0 network card; -n: disable network object name resolution; -f: only capture the protocol as tcp and the destination port as 80; -R : Filter out http.host and http.request.uri; -T,-e: refers to printing these two fields; -I: output to the command line interface; This command will help you to hunt for HTTP protocol stream related information
RDS-HUNT# Tshark -s 512- i eth0 -n -f’tcp dst port 3306′ -R’mysql.query’ -T fields -e mysql.query :- Thic command will help you to hunt the current mysql query statement in real time. (-R: Filter out mysql query statements)
RDS-HUNT# Tshark -r test.cap -R'(smpp.command_id==0x80000004) and (smpp.command_status==0x0)’ -e smpp.message_id -e frame.time -T fields -E header=y >test.txt :- This command will help you to hunt smpp protocol header and value
RDS-HUNT# Tshark -s 0 -i eth1 -n -f’tcp dst port 80′ -R’http.host and http.request.uri’ -T fields -e http.host -e http.request.uri -l -c 200 :- This command will extract 200 packet and print out the visited URL
RDS-HUNT# Tshark -n -ta Fields -e ssl -T -R & lt “ip.src” -e “ssl.app_data” -e http.request.uri -l -c 200 :- This command will extract 200 packet and print out the visited SLL URL.
RDS-HUNT# Tshark ‘tcp port 80 and (((ip[2:2] – ((ip[0]&0xf)<<2)) – ((tcp[12]&0xf0)>>2)) != 0)’ -R ‘http.request.method == “GET” || http.request.method == “HEAD” || http.request.method == “POST”‘ :- This command will help you to sniff HTTP request based on GET, HEAD, POST method.
RDS-HUNT# Tshark -i 2 -f ‘port 110’ -R ‘pop.request.parameter contains ‘user” > /tmp/pop_hunting.pcap :- captures all port 110 traffic and filters out the ‘user’ command and saves it to a PCAP file
RDS-HUNT# Tshark -Y “ip.addr != 192.168.1.144 && ip.len < 1800” \ -Y “ip.src == 192.168.4.51” :- This command will display all packets coming from 192.168.4.51 except to 192.168.1.144 and have length less than 1800 bytes.
Passive Hunting — Threat Hunting with Packet Captured Files.
RDS-HUNT# Tshark -r dns_port.pcap :- Command to read PCAP file
RDS-HUNT# Tshark -nr Network-Hunting.pcap -qz “io,phs” :- This command will help you to get details on protocol hierarchy statistics.
RDS-HUNT# Tshark -q -r Network-Hunting.pcap -Y http -z http,tree :- This command will help you hunt for statistics for a Specific Protocol. (Here we have selected HTTP protocol)
RDS-HUNT# Tshark -T fields -e frame.number -e ip.addr -e ip.len -r RDS.pcap :- This command will help you to analyze the address and length of each of those IP packets as they occur on the network to which the computer running this command is connected.
RDS-HUNT# Tshark -r arp-storm.pcap -z conv,tcp :- Command will help you to hunt only TCP communications
RDS-HUNT# Tshark -r Evidence06.pcap -z conv,ip :- This command will help you to hunt for all IP conversation.
RDS-HUNT# Tshark -r dns_port.pcap ip.host==”192.168.1.4″ :- List of packets with a specific source IP address from DNS captured PCAP.
RDS-HUNT# Tshark -r dns_port.pcap ip.dst==”192.168.1.4″ :- List of packets with a specific destination IP address from DNS captured PCAP.
RDS-HUNT# Tshark -r Malware-Traffic-hunting-1.pcap/malware-hunting.pcap -T fields -e ip.src -e ip.dst :- This command will help you to extract fields source address and destination address.
RDS-HUNT# Tshark -r Network-Hunting.pcap -T fields -e http.user_agent | grep python :- This command will help you to hunt for python user agent.
RDS-HUNT# Tshark -r Network-Hunting.pcap -T fields -e http.user_agent | sort | uniq :- This command will give you the unique user-agent used for communications.
RDS-HUNT# Tshark -nr Network-Hunting.pcap -V :- Get packet details in tree format.
RDS-HUNT# Tshark -r a.pcap -2 -R “tcp.port==80″ -E header=y -E separator=/t -e eth.src -e ip.src -e ip.dst -T fields -e tcp.port -E aggregator=”/s” | more :- This command will help you to hunt for source, destination and port details.
RDS-HUNT# Tshark -r 4-SL.pcap -2 -R “frame contains \”php\”” -V | more :- This command will help you to get frame by frame details which contain PHP.
RDS-HUNT# Tshark -r Evidence01.pcap -Y “http” | grep -i portal | more :- This command will help you to hunt for http portal based traffic.
RDS-HUNT# Tshark -r 10- Evidence01.pcap -Y “http.referer == \”https:\/\/hackforlab.com\/p\/ Evidence01\/\”” -T fields -e “http.referer”| more – This command will help you to analyze referrer based traffic of hackforlab.com domain.
RDS-HUNT# Tshark -r Network-Hunting.pcap -T fields -e ip.src -e ip.dst ip.dst==192.168.1.10 | head:- -T fields & -e to identify which specific fields to print.
RDS-HUNT# Tshark -r /tmp/threat_hunt.pcap -T fields -e ip.src -e ip.dst | awk -F ” ” ‘{print $1″\n”$2″\n”}’ | sort | uniq | grep -v “^$” > /tmp/passive_hunt.txt: – This command will help you passively hunt to collect all source and destination IPs in unique and sorted and save a file.
RDS-HUNT# Tshark -r dns_port.pcap -T fields -e frame.number -e frame.encap_type -e frame.protocols -e frame.len -e ip.addr -E separator=, -E quote=d > passive_threat_hunt.csv :- This command will help you to hunt for important fileds from PCAP files and store that fields value in passive_threat_hunt.csv file.
RDS-HUNT# Tshark -2 -r Evidence01.pcap -R “http.request.line || http.file_data || http.response.line” -T fields -e http.request.line- e http.file_data -e http.response.line -E header=y :- This command will help you to analyze the request header, response header, and response data of the http protocol.
RDS-HUNT# Tshark -r Network-Hunting.pcap -T fields -E header=y -E separator=, -E quote=d -E occurrence=f -e ip.version -e ip.hdr_len -e ip.tos -e ip.id -e ip.flags -e ip.flags.rb -e ip.flags.df -e ip.flags.mf -e ip.frag_offset -e ip.ttl -e ip.proto -e ip.checksum -e ip.src -e ip.dst -e ip.len -e ip.dsfield -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.ack -e tcp.len -e tcp.hdr_len -e tcp.flags -e tcp.flags.fin -e tcp.flags.syn -e tcp.flags.reset -e tcp.flags.push -e tcp.flags.ack -e tcp.flags.urg -e tcp.flags.cwr -e tcp.window_size -e tcp.checksum -e tcp.urgent_pointer -e tcp.options.mss_val :- Thic ommand will help you to hunt and extract most valuable field from network traffic captured PCAP file.
RDS-HUNT# tshark -r Evidence06.pcap -T fields -E header=y -E separator=, -E quote=d -E occurrence=f -e ip.src -e ip.dst -e ip.len -e ip.flags.df -e ip.flags.mf -e ip.fragment -e ip.fragment.count -e ip.fragments -e ip.ttl -e ip.proto -e tcp.window_size -e tcp.ack -e tcp.seq -e tcp.len -e tcp.stream -e tcp.urgent_pointer -e tcp.flags -e tcp.analysis.ack_rtt -e tcp.segments -e tcp.reassembled.length -e dtls.handshake.extension.len -e dtls.handshake.extension.type -e dtls.handshake.session_id -e dtls.handshake.session_id_length -e dtls.handshake.session_ticket_length -e dtls.handshake.sig_hash_alg_len -e dtls.handshake.sig_len -e dtls.handshake.version -e dtls.heartbeat_message.padding -e dtls.heartbeat_message.payload_length -e dtls.heartbeat_message.payload_length.invalid -e dtls.record.content_type -e dtls.record.content_type -e dtls.record.length -e dtls.record.sequence_number -e dtls.record.version -e dtls.change_cipher_spec -e dtls.fragment.count -e dtls.handshake.cert_type.types_len -e dtls.handshake.certificate_length -e dtls.handshake.certificates_length -e dtls.handshake.cipher_suites_length -e dtls.handshake.comp_methods_length -e dtls.handshake.exponent_len -e dtls.handshake.extension.len -e dtls.handshake.extensions_alpn_str -e dtls.handshake.extensions_alpn_str_len -e dtls.handshake.extensions_key_share_client_length -e http.request -e udp.port -e frame.time_relative -e frame.time_delta -e tcp.time_relative -e tcp.time_delta > network-traffic-investigation.csv :- This ommand will help you to investigate and export most valuable field from network traffic captured PCAP file.
RDS-HUNT# tshark -r mta1.pcap -Y “tcp.flags.syn eq 1” -T fields -E header=y -E separator=, -E quote=d -E occurrence=f -e ip.version -e ip.hdr_len -e ip.tos -e ip.id -e ip.flags -e ip.flags.rb -e ip.flags.df -e ip.flags.mf -e ip.frag_offset -e ip.ttl -e ip.proto -e ip.checksum -e ip.src -e ip.dst -e ip.len -e ip.dsfield -e tcp.srcport -e tcp.dstport -e tcp.seq -e tcp.ack -e tcp.len -e tcp.hdr_len -e tcp.flags -e tcp.flags.fin -e tcp.flags.syn -e tcp.flags.reset -e tcp.flags.push -e tcp.flags.ack -e tcp.flags.urg -e tcp.flags.cwr -e tcp.window_size -e tcp.checksum -e tcp.urgent_pointer -e tcp.options.mss_val > network-traffic-investigation-1.csv :- If you want to filter traffic & you only need the first packet of each network conversation, you can use a filter using the -Y option.
