How Can You Identify the Threat of Attack in Wireshark?
In this article, we will be looking on Wireshark brandish filters and meet how we could detect various network attacks with them in Wireshark.
Nosotros will be looking on a number of scenarios typically washed by adversaries, due east.g. diverse host discovery techniques, network port scanning methods, various network attacks such every bit denial of service, poisoning, flooding and too wireless attacks.
- Detection of host discovery (recon)
- ARP scanning
- IP Protocol scan
- ICMP ping sweeps
- TCP ping sweeps
- UDP ping sweeps
- Detection of network port scanning
- TCP SYN / stealth browse
- TCP Connect() scan
- TCP Zip scan
- TCP FIN browse
- TCP Xmass browse
- UDP port scan
- Detection of network attacks
- ARP poisoning
- ICMP flood
- VLAN hoping
- Unexplained packet loss
- Detection of wireless network attacks
- Client deauthentication
- Client disassociation
- Imitation AP beacon flood
- Hallmark denial of service
- Decision
The purpose of this commodity is to provide a listing of actionable and practical methods for detecting these network attacks using Wireshark filters.
Let's get to it!
Detection of host discovery (recon)
This department contains Wireshark filters that could help in identifying adversaries trying to find live systems on our network.
Using these filters we should exist able to discover diverse network discovery scans, ping sweeps and other things typically done during reconnaissance (asset discovery) stage.
Here's the summary table with more details farther down below:
| Technique | Wireshark Filter | Command / Tool |
|---|---|---|
| ARP scanning | arp.dst.hw_mac==00:00:00:00:00:00 | arp-scan -fifty |
| IP protocol scan | icmp.type==iii and icmp.code==two | nmap -so <target> |
| ICMP ping sweep | icmp.blazon==8 or icmp.blazon==0 | nmap -sn -PE <subnet> |
| TCP ping sweeps | tcp.dstport==7 | nmap -sn -PS/-PA <subnet> |
| UDP ping sweeps | udp.dstport==7 | nmap -sn -PU <subnet> |
ARP scanning
Hither's a Wireshark filter to place ARP scanning (host discovery technique on layer 2):
arp.dst.hw_mac==00:00:00:00:00:00 This is how ARP scanning looks like in Wireshark:
During ARP scanning, an assaulter is typically sending a big number of ARP requests on the circulate (ff:ff:ff:ff:ff:ff) destined to the MAC address 00:00:00:00:00:00 in gild to find alive IP addresses on the local network. We volition typically run into something similar this:
Who has 192.168.0.1? Tell 192.168.0.53 Who has 192.168.0.2? Tell 192.168.0.53 Who has 192.168.0.3? Tell 192.168.0.53 Who has 192.168.0.4? Tell 192.168.0.53 Who has 192.168.0.five? Tell 192.168.0.53 ... In this instance the attacker has IP address 192.168.0.53.
If we see many of these ARP requests in a brusk period of time asking for many different IP addresses, someone is probably trying to find alive IPs on our network by ARP scanning (eastward.thou. by running arp-scan -l).
IP Protocol scan
Here's a Wireshark filter to identify IP protocol scans:
icmp.type==3 and icmp.lawmaking==ii This is how IP protocol scan looks similar in Wireshark:
IP protocol scanning is a technique assuasive an attacker to discover which network protocols are supported by the target operating system (east.1000. by running nmap -so <target>).
During IP protocol scanning, we will probable see many ICMP type three (Destination unreachable) code 2 (Protocol unreachable) letters, because the attacker is typically sending a large number of packets with different protocol numbers.
ICMP ping sweeps
Here's a Wireshark filter to detect ICMP ping sweeps (host discovery technique on layer three):
icmp.blazon==8 or icmp.type==0 This is how ICMP ping sweeping looks like in Wireshark:
With this filter we are filtering ICMP Echo requests (type 8) or ICMP Echo replies (type 0).
If we run into also many of these packets in a curt period of time targeting many different IP addresses, then we are probably witnessing ICMP ping sweeps. Someone is trying to identify all alive IP addresses on our network (e.g. by running nmap -sn -PE <subnet> ).
TCP ping sweeps
Here's a Wireshark filter to detect TCP ping sweeps (host discovery technique on layer 4):
tcp.dstport==7 This is how TCP ping sweeping looks like in Wireshark:
TCP ping sweeps typically use port 7 (echo). If we see a higher volume of such traffic destined to many dissimilar IP addresses, it means somebody is probably performing TCP ping sweeping to find alive hosts on the network (due east.g. by running nmap -sn -PS/-PA <subnet> ).
UDP ping sweeps
Hither'south a Wireshark filter to notice UDP ping sweeps (host discovery technique on layer 4):
udp.dstport==7 This is how UDP ping sweeping looks like in Wireshark:
Similarly as TCP, UDP ping sweeps typically utilize port seven (echo). If we run into a high volume of such traffic destined to many dissimilar IP addresses, information technology means somebody is probably performing UDP ping sweeping to find alive hosts on the network (due east.g. by running nmap -sn -PU <subnet> ).
Go dorsum to pinnacle.
Detection of network port scanning
This section contains Wireshark filters useful for identifying various network port scans, port sweeps etc.
Here's the summary table with more details further down below:
| Technique | Wireshark Filter | Command / Tool |
|---|---|---|
| TCP SYN scan | tcp.flags.syn==one and tcp.flags.ack==0 and tcp.window_size<=1024 | nmap -sS <target> |
| TCP Connect() browse | tcp.flags.syn==ane and tcp.flags.ack==0 and tcp.window_size>1024 | nmap -sT <target> |
| TCP Null scan | tcp.flags==0 | nmap -sN <target> |
| TCP FIN scan | tcp.flags==0x001 | nmap -sF <target> |
| TCP Xmass scan | tcp.flags.fin==ane && tcp.flags.push==1 && tcp.flags.urg==1 | nmap -sX <target> |
| UDP port browse | icmp.type==3 and icmp.code==iii | nmap -sU <target> |
TCP SYN / stealth scan
Here'due south a Wireshark filter to detect TCP SYN / stealth port scans, also known as TCP half open browse:
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024 This is how TCP SYN scan looks like in Wireshark:
In this example we are filtering out TCP packets with:
- SYN flag set
- ACK flag not set
- Window size <= 1024 bytes
This is basically a first step in the TCP 3-way handshake (the beginning of any TCP connection), with a very small TCP window size.
The small window size in item is the characteristic parameter used past tools such as nmap or massscan during SYN scans, indicating that at that place will exist substantially very piffling or no data.
If we see too many packets of this kind in a short period of time, someone is most likely doing:
- SYN scans in our network (east.g. past running
nmap -sS <target>) - SYN port sweeps across the network (e.one thousand. past running
nmap -sS -pXX <subnet>) - SYN floods (denial of service technique)
TCP Connect() browse
Here'south a Wireshark filter to find TCP Connect() port scans:
tcp.flags.syn==ane and tcp.flags.ack==0 and tcp.window_size > 1024 This is how TCP Connect() scan looks like in Wireshark:
In this example nosotros are filtering out TCP packets with:
- SYN flag set up
- ACK flag non fix
- Window size > 1024 bytes
The only difference to SYN scans is the larger TCP window size, indicating a standard TCP connection, actually expecting some data to be transferred also.
If we see too many packets of this kind in a short catamenia of fourth dimension, someone is about likely doing:
- Port scans in our network (eastward.g. by running
nmap -sT <target>) - Port sweeps beyond the network (eastward.g. by running
nmap -sT -pXX <subnet>)
TCP Naught scan
Here's a Wireshark filter to place TCP Zero scans:
tcp.flags==0 This is how TCP Null scan looks similar in Wireshark:
TCP Null scanning works by sending packets without any flags set up. This could potentially penetrate some of the firewalls and discover open ports.
If we run into packets like this in our network, someone is probably performing TCP goose egg scans (eastward.k. by running nmap -sN <target> ).
TCP FIN scan
Here's a Wireshark filter to place TCP FIN scans:
tcp.flags==0x001 This is how TCP FIN browse looks like in Wireshark:
TCP FIN scans are characteristic by sending packets with but the FIN flag set. This could (again) potentially penetrate some of the firewalls and discover open ports.
If nosotros see many packets like this in our network, someone is probably performing TCP FIN scans (eastward.one thousand. by running nmap -sF <target> ).
TCP Xmass scan
Hither'due south a Wireshark filter to discover TCP Xmass scans:
tcp.flags.fin==1 && tcp.flags.push==1 && tcp.flags.urg==1 This is how TCP Xmass scan looks like in Wireshark:
TCP Xmass browse work past sending packets with FIN, PUSH and URG flags ready. This is withal some other technique of penetrating some of the firewalls to find open up ports.
If nosotros encounter such packets in our network, someone is probably performing TCP Xmass scans (east.g. by running nmap -sX <target> ).
UDP port scan
Here'due south a Wireshark filter to identify UDP port scans:
icmp.type==3 and icmp.lawmaking==three This is how UDP port scan looks like in Wireshark:
A expert indicator of ongoing UDP port scanning is seeing high number of ICMP packets in our network, namely the ICMP type 3 (Destination unreachable) with code 3 (Port unreachable). These detail ICMP messages indicate that the remote UDP port is airtight.
If nosotros see a loftier number of these packets in our network in a brusk menstruation of fourth dimension, it most probable ways someone is doing UDP port scans (e.m. past running nmap -sU <target> ).
Become back to superlative.
Detection of network attacks
This section contains Wireshark filters useful for identifying various network attacks such as poisoning attacks, flooding, VLAN hoping etc.
Here's the summary table with more details farther downwardly beneath:
| Technique | Wireshark Filter | Control / Tool |
|---|---|---|
| ARP poisoning | arp.duplicate-address-detected or arp.indistinguishable-address-frame | arpspoof, ettercap |
| ICMP flood | icmp and data.len > 48 | fping, hping |
| VLAN hoping | dtp or vlan.too_many_tags | frogger, yersinia |
| Unexplained package loss | tcp.analysis.lost_segment or tcp.analysis.retransmission | n/a |
ARP poisoning
Here'due south a Wireshark filter to detect ARP poisoning:
arp.duplicate-address-detected or arp.indistinguishable-address-frame This filter will display whatever occurrence of a unmarried IP address being claimed by more than one MAC address. Such situation likely indicates that ARP poisoning is happening in our network.
ARP poisoning (also known every bit ARP spoofing) is a technique used to intercept network traffic between the router and other clients on the local network. It allows the aggressor to perform man-in-the-middle (MitM) attacks on neigboring computers on the local network using tools such as arpspoof, ettercap and others.
ICMP flood
Here's how to detect ICMP flooding (denial of service technique) with Wireshark filter:
icmp and data.len > 48 This is how ICMP inundation assault looks similar in Wireshark:
A typical standard ICMP ping sends packets with 32 bytes of data (ping command on Windows) or 48 bytes (ping command on Linux).
When someone is doing ICMP inundation, they typically send much larger data, so hither we are filtering all ICMP packets with data size of more 48 bytes. This will finer detect whatever ICMP flooding regardless of the ICMP blazon or code.
Adversaries typically apply tools such every bit fping or hping to perform ICMP flooding.
VLAN hoping
Here's a Wireshark filter for detecting VLAN hoping on the network:
dtp or vlan.too_many_tags This is how VLAN hoping set on looks like in Wireshark:
VLAN hoping is a technique for bypassing NAC (network admission controls) often used by attackers trying to admission different VLANs past exploiting misconfigurations of the Cisco switches.
A solid indicator of VLAN hoping is the presence of DTP packets or packets tagged with multiple VLAN tags.
If we encounter such packets in our network, someone might be attempting to practice VLAN hoping e.g. by using frogger or yersinia utilities.
Unexplained packet loss
Here'southward filter for detecting packet loss on the network:
tcp.analysis.lost_segment or tcp.analysis.retransmission If we come across many packet re-transmissions and gaps in the network communication (missing packets), information technology may indicate that there is a astringent trouble in the network, possibly caused by a denial of service attack.
Seeing such a situation in Wireshark certainly claim further investigation.
Go back to height.
Detection of wireless network attacks
This department contains Wireshark filters useful for identifying various wireless network attacks such as deauthentication, disassociation, beacon flooding or authentication denial of service attacks.
Here's the summary table with more than details further down below:
| Technique | Wireshark Filter | Command / Tool |
|---|---|---|
| Client deauthentication | wlan.fc.type_subtype == 12 | aireplay-ng, mdk3, mdk4 |
| Customer disassociation | wlan.fc.type_subtype == ten | mdk3, mdk4 |
| Fake AP beacon alluvion | wlan.fc.type_subtype == 8 | mdk3, mdk4 |
| Authentication DoS | wlan.fc.type_subtype == 11 | mdk3, mdk4 |
Client deauthentication
Here'due south a Wireshark filter to detect deauthentication frames on wireless networks:
wlan.fc.type_subtype == 12 This is how wireless deauthentication attack looks like in Wireshark:
Seeing the type 12 (deauthentication) frames in the air probable indicates that in that location is an attacker trying to deauthenticate other clients from the network in lodge to make them re-authenticate and consequently collect (sniff) the exchanged WPA / WPA2 4-mode handshakes while they are re-authenticating.
This is a known technique for breaking into PSK (pre-shared cardinal) based wireless networks. Once the attacker collects the 4-style WPA handshake, the attacker tin can then try to crack it and consequently obtain the cleartext password and admission the network.
More data well-nigh deauthentication attacks tin can exist establish here.
Client disassociation
Here's a Wireshark filter to detect disassociation frames on wireless networks:
wlan.fc.type_subtype == 10 This is how wireless disassociation set on looks like in Wireshark:
Disassociation attack is another type of attack against PSK based wireless networks which works confronting WPA / WPA2. The idea behind this set on is that the assaulter is sending type x (disassociation) frames which disconnects all clients from the target AP.
This could be even more constructive for the assailant to collect the 4-manner handshakes. The attacker tin (once more) effort to cleft one of them and mayhap obtain the cleartext password and access the network.
This type of attack can exist carried out using tools such as mdk3 or mdk4 (due east.thou. by running mdk4 wlan0mon d ).
Fake AP beacon flood
Here's a Wireshark filter to discover fake AP beacon flooding on wireless networks:
wlan.fc.type_subtype == 8 This is how wireless imitation AP beacon flood attack looks like in Wireshark:
The idea behind this assail is to flood the area with random fake access point beacons. This could potentially cause connectivity disruptions (jamming) within the area or crash some of the clients (denial of service).
If we run across a high number of many different beacon frames in short period of time, someone could be performing beacon flooding in the area.
Such assault can be carried out using tools such as mdk3 or mdk4 (e.yard. past running mdk4 wlan0mon b ).
Authentication denial of service
Here'south a Wireshark filter to detect authentication deprival of service attacks on wireless networks:
wlan.fc.type_subtype == 11 This is how wireless authentication DoS attack looks like in Wireshark:
This blazon of attack works past flooding wireless access points in the expanse with many type 11 (authentication) frames, essentialy simulating a large number of clients trying to authenticate in the aforementioned fourth dimension. This could overload some access points and potentially freeze or reset them and cause connectivity disruptions (jamming) in the surface area.
If we see a high number of type eleven frames in short period of time, someone could be performing authentication flooding in the surface area.
This type of attack tin be carried out using tools such equally mdk3 or mdk4 (due east.thou. past running mdk4 wlan0mon a ).
Go dorsum to pinnacle.
Conclusion
Wireshark is a very powerful tool when it comes to analyzing calculator networks. Its vast number of protocol dissectors and filtering capabilities allow u.s. to easily observe, visualize and report many different aspects of computer networks, non but from the cyber security perspective.
If you liked this collection of Wireshark filters and you would like more content like this, please subscribe to my mailing list and follow InfosecMatter on Twitter and Facebook to keep up with the latest developments! Y'all can also support me through a donation.
Source: https://www.infosecmatter.com/detecting-network-attacks-with-wireshark/
0 Response to "How Can You Identify the Threat of Attack in Wireshark?"
Publicar un comentario