An intro video for finding hackers or anomalous behavior on your network in a packet capture with Wireshark. Plenty of stuff for beginners and something for everyone else too.
If you have any questions or ideas for future videos, please leave a comment and let me know.
Filters used:
**** I will add this list to my website soon and leave the link here. **
Scanning:
syn packets - with no matching ack:
(tcp.flags.syn == True) && (tcp.completeness.syn-ack == False)
TCP reset packets:
tcp.flags.reset
DNS:
dns
DNS server failure or no such name:
dns.flags.rcode == 2 or dns.flags.rcode == 3
user to user traffic:
put in your user networks in a filter like:
ip.addr == x.x.x.x/24 and ip.addr==x.x.x.x/24
Web enumuration:
http.request.method == "GET"
Web logins:
tcp matches "login"
http.request.method == "POST"
tcp matches "password"
login errors:
http.response.code gt 200
responder:
nbns
nbns.flags.response == True
logging in to machine running responder:
ntlmssp
service controller:
svcctl
kerberoasting, the enctype 23 id RC4 encryption:
kerberos && kerberos.enctype==23
not my dhcp - Put your DNS servers in {}
dhcp and ip.addr not in {192.168.1.150, 192.168.2.150, 192.168.100.150} && (dhcp.option.dhcp == 2 || dhcp.option.dhcp == 5 || dhcp.option.dhcp == 5)
not my dns - responses - Put your DHCP servers in {}
(dns and ip.addr not in {192.168.1.150, 192.168.2.150, 192.168.100.150}) && (dns.flags.response == True)
ipv6 traffic filter:
ipv6
Timestamps:
00:00 Start
0:15 User vs Hacker
0:51 Port Scanning
1:27 DNS enumeration
2:01 User to user traffic
2:33 Attacking web servers - Enumeration
2:58 Attacking web servers - Passwords
3:34 NBNS & Responder
4:10 Manipulating services
4:38 Kerberoasting
5:25 Rogue DNS or DHCP
6:01 IPv6 / MITM6
6:21 Conclusion
Негізгі бет Ғылым және технология Find Hackers on your network with Wireshark - 10 signs to look for!
Пікірлер: 33