Listen to this Post
Wireshark is not just a network monitoring tool—for red teamers; it’s a weapon for reconnaissance, credential harvesting, and traffic manipulation. This guide covers stealthy packet analysis techniques to enhance offensive operations.
You Should Know:
1️⃣ Capturing Network Traffic
Monitor all network traffic on an interface:
tshark -i eth0 -w capture.pcap
Filter for HTTP credentials (Basic Auth):
http.authorization contains "Basic"
2️⃣ Sniffing Credentials & Sensitive Data
Find FTP, SMB, and Telnet credentials:
tcp.port == 21 || tcp.port == 139 || tcp.port == 23
Extract Kerberos tickets for Pass-the-Ticket attacks:
kerberos.CNameString && ip.src == <target-ip>
3️⃣ MITM & Network Exploitation
Capture ARP spoofing attacks:
arp.duplicate-address-frame
Filter DNS traffic for subdomain enumeration:
dns.qry.name contains "target.com"
4️⃣ Exfiltration & C2 Detection
Detect unusual ICMP tunnels used for data exfiltration:
icmp && frame.len > 100
Monitor outbound encrypted C2 channels:
tls.handshake.type == 1 && ip.dst != <known-IPs>
🛡 Defensive Mitigations
- Encrypt all sensitive traffic (TLS, VPNs, SSH over Telnet/FTP)
- Monitor for anomalous packet sizes & unusual data exfiltration
- Enable ARP spoofing and DNS attack detection
- Use network segmentation to limit lateral movement
Advanced Wireshark Commands for Red Teaming
Extract files from packet captures:
tshark -r capture.pcap --export-objects http,/path/to/save/files
Extract VoIP calls (SIP/RTP):
tshark -r voip.pcap -Y "rtp" -T fields -e rtp.payload | xxd -r -p > audio.raw
Detect SQL injection attempts in HTTP traffic:
http.request.uri matches ".select.from."
Automating Wireshark with Bash
Capture traffic for 60 seconds and analyze:
timeout 60 tshark -i eth0 -w temp.pcap && tshark -r temp.pcap -Y "http.request.method == POST"
Extract all DNS queries from a pcap:
tshark -r traffic.pcap -T fields -e dns.qry.name | sort | uniq -c | sort -nr
Windows Command-Line Alternatives
Capture traffic with PowerShell (requires admin):
New-NetEventSession -Name "CaptureSession" -CaptureMode SaveToFile -LocalFilePath "C:\capture.etl" Start-NetEventSession -Name "CaptureSession"
Stop capture and analyze with Wireshark:
Stop-NetEventSession -Name "CaptureSession"
Defensive Wireshark Filters
Detect Nmap scans:
tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024
Find suspicious DNS tunneling:
dns.qry.name.len > 50
What Undercode Say
Wireshark remains a critical tool for both offensive and defensive cybersecurity operations. Red teamers can leverage it for stealthy reconnaissance, while blue teams use it to detect malicious activity. Mastering Wireshark filters and TShark commands enhances your ability to analyze network traffic efficiently.
For further learning, explore:
Expected Output:
tshark -i eth0 -Y "http.request.method == POST && http.file_data contains 'password'" -w http_creds.pcap
References:
Reported By: Shihab Hossen – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
