Skip to content

Instantly share code, notes, and snippets.

@cutaway

cutaway/tshark_cmds.md

Last active May 28, 2022 19:38
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save cutaway/0e93e19b04dc96fb637ffcb2909288bf to your computer and use it in GitHub Desktop.
Save cutaway/0e93e19b04dc96fb637ffcb2909288bf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
tshark_cmds.md

PCAPs Resources

• Download PCAPs
	○ Free PCAPS: https://www.netresec.com/?page=PcapFiles
	○ SecRepo: https://www.secrepo.com/
• ICS Port Numbers
	○ IPv4 Multicast Addresses
		§ https://www.iana.org/assignments/multicast-addresses/multicast-addresses.txt
	○ Old Digital Bond: https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md
	○ WonderWare: 
		§ https://knowledge.insourcess.com/Wonderware_(General)/Tech_Notes/TN_WW165_Firewall_ports_for_Wonderware_products
		§ https://knowledge.insourcess.com/ACP_Thinmanager/Tech_Notes/TN_TM108_Ports_required_for_ACP_ThinManager
		§ https://knowledge.insourcess.com/Support_Tickets/Application_Server/Installation%2F%2FConfiguration/67948_-_What_are_the_network_open_port_requirements_for_Wonderware%2C_Kepware%2C_Archestra%2C_MES_and_ThinManager%3F

Tshark

• Manual Page
	○ https://www.wireshark.org/docs/man-pages/tshark.html
• Remove Error Frames from SPAN Captures / Dead Asset Requests
	○ tshark -Y '!(tcp.analysis.out_of_order) &&!(tcp.analysis.duplicate_ack) && !(tcp.analysis.out_of_order) && !(tcp.analysis.retransmission) && !(tcp.analysis.spurious_retransmission)' -F pcap -r <file.pcap> -w <file_noerrs.pcap>
• Remove broadcast messages
	○ Tshark -Y '!(eth.addr==ff:ff:ff:ff:ff:ff) && !(ip.addr==239.0.0.0/8) && !(ip.addr==224.0.0.0/8) && !(ip.addr==169.0.0.0/8) && !(ip.addr==0.0.0.0) && !(ip.addr==10.0.255.255)' -F pcap -r <file.pcap> -w <file_nobroad.pcap>
• Conversations
	○ IP Conversations
		§ tshark -n -q -z conv,ip -r <file.pcap>
	○ Ethernet Conversations
		§ tshark -q -z conv,eth -r <file.pcap>
			□ Do not use -n so that you get the names of the interface. This helps identify types of endpoints.
	○ TCP Conversations
		§ tshark -n -q -z conv,tcp -r <file.pcap>
• Protocol Hierarchy
	○  tshark -qz io,phs -r <file.pcap>
• RSTP Authentication
	○ tshark -n -V -T text -Y '(rtsp.method == "OPTIONS") && (frame contains "Authorization: Basic")' -r <file.pcap> | grep Auth
• HTTP Basic Auth
	○ tshark -n -T fields -e ip.src -e ip.dst -e http.authbasic -Y "http && http.authbasic" -r <file.pcap>
• HTTP URIs
	○ tshark -Y 'http.request.uri' -Tfields -e http.request.uri -r <file.pcap> | sort | uniq
• DNS Queries
	○ tshark -T fields -e ip.src -e dns.qry.name -Y "dns.flags.response eq 0  && ip.src" -r <file.pcap> | sort -u
	○ Can also be done using NetMiner - set up on Security Onion
• SSL / TLS Connections
	○ Servers
		§ tshark -n -T fields -e ip.dst -Y "(ssl && (ssl.handshake.type == 1))" -r <file.pcap> | sort | uniq
	○ Clients
		§ tshark -n -T fields -e ip.src -Y "(ssl && (ssl.handshake.type == 1))" -r <file.pcap> | sort | uniq
• HTTP Connections
	○ Servers
		§ tshark -n -T fields -e ip.dst -Y "http.request.method" -r <file.pcap> | sort | uniq
	○ Clients
		§ tshark -n -T fields -e ip.src -Y "http.request.method" -r <file.pcap> | sort | uniq
• SMBv1
	○ Servers Negotiating Response to Client
		§ tshark -Y '(((((smb) && (frame[70:4] == ff:53:4d:42)) ) && (smb.dialect.index == 0)) ) && (smb.flags.response == 1)' -T fields -e ip.src -r <file.pcap>
			□ https://www.reddit.com/r/sysadmin/comments/6azrgc/verifying_nothing_relies_on_smbv1_using/
• NTLMSSP
	○ tshark -T fields -e ip.src -e ntlmssp.ntlmserverchallenge -e ip.dst -e ntlmssp.auth.domain -e ntlmssp.auth.username -e ntlmssp.auth.ntresponse -Y "ntlmssp.messagetype == 0x00000002 || ntlmssp.messagetype == 0x00000003" -r <file.pcap>
	○ Servers making challenges
		§ tshark -T fields -e ip.src -Y "ntlmssp.messagetype == 0x00000002" -r <file.pcap>| sort | uniq
• SNMP Community Strings
	○ tshark -n -T fields -e ip.src -e snmp.version -e snmp.community -Y '!(icmp) && snmp.community && udp.dstport == 161' -r <file.pcap> | sort | uniq
		§ Need to weed out ICMP messages as Destination Unreachable will contain SNMP fields
	○ Clients
		§ tshark -n -T fields -e ip.src -Y '!(icmp) && snmp.data == 2' -r <file.pcap>
	○ Servers
		§ tshark -n -T fields -e ip.src -Y '!(icmp) && snmp.data == 0' -r <file.pcap>
• Remote Desktop
	○ tshark -Y "tcp.port == 3389 || vnc" -T fields -e ip.src -e ip.dst -r <file.pcap> | sort | uniq
		§ TODO: This needs to be cleaned up to properly detect the source of the connection.
• VLAN IDs List
	○ tshark -Y vlan.id -Tfields -e vlan.id -r <file.pcapng> | sort | uniq | sort
	
• Industrial Control Protocols
	○ Purpose: 
		§ Identify master servers and client / slaves
		§ Identify common protocols in use by master servers 
		§ Also want to identify proprietary protocols in use, but this will be more difficult as Wireshark / Tshark may not have protocol dissectors for their identification and analysis.
	○ Modbus
		§ Function Codes
			□ https://www.csimn.com/CSI_pages/Modbus101.html
		§ Clients
			□ tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -r <file.pcap> | sort | uniq
			□ Clients with function codes
				® tshark -n -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.src -e modbus.func_code -r <file.pcap> | sort | uniq
		§ Servers
			□ tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -e eth.dst -r <file.pcap> | sort | uniq
				® The hardware address does not resolve for field outputs. You have to check them yourself.
			□ tshark -Y "mbtcp && tcp.dstport == 502" -T fields -e ip.dst -r <file.pcap> | sort | uniq | wc -l
	○ Aveva / WonderWare SuiteLink
		§ tshark -Y "tcp.dstport == 5413" -T fields  -e ip.src -e ip.dst -r <file.pcap> | sort -u
		§ Servers
			□ tshark -Y "tcp.dstport == 5413" -T fields -e ip.dst -r <file.pcap> | sort | uniq
		§ Clients
			□ tshark -Y "tcp.dstport == 5413" -T fields -e ip.src -r <file.pcap> | sort | uniq
	○ Aveva / WonderWare InBatch 
		§ Servers
			□ tshark -Y "tcp.dstport >= 9000 && tcp.dstport <= 9015" -T fields -e ip.dst -r <file.pcap> | sort | uniq
		§ Clients
			□ tshark -Y "tcp.dstport >= 9000 && tcp.dstport <= 9015" -T fields -e ip.src -r <file.pcap> | sort | uniq
	○ BACnet
		§ I-Am responses to Who-Is - sorted by source IP address
			□ tshark -d udp.port==47809,bvlc -Y 'bacapp.unconfirmed_service == 0' -T fields -e ip.src -e bacapp.instance_number -e bacnet.sadr_mstp -e bacnet.snet -E separator=,  -r <file.pcap>| sort | uniq | sort -g -t. -k 1,1 -k 2,2 -k 3,3 -k 4,4
		§ Device Count BACnet source
			□ tshark -d udp.port==47809,bvlc -Y 'bacnet' -T fields -e ip.src -e ip.dst -r <file.pcap> | grep -v ',' | sort | uniq > <outfile.txt>
				® The resulting file still needs to be counted. Probably best to export Wireshark filtered communications to an MS Excel file and do a pivot table.
	○ IEC61850
		§ Ethernet Types
			□ tshark -Y 'eth.type' -Tfields -e eth.type -r <file.pcap> | sort -u
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment