Tshark Exercise

1. Introduction

You are a security investigator at a relatively small company. You have just been notified that there might have been a computer virus going around the office and infecting the workstations. Your team managed to capture the network traffic in the office for you to analyze. The .pcap file (a data file created using Wireshark that contains the packet data of a network) has been transferred to your remote Ubuntu workstation. In this module, you will use TShark, a free alternative tool to capture network traffic and view already captured data.

In some cases you might not have access to a graphical user interface and therefore can't use tools like Wireshark. This module is focused on basic .pcap file analysis using TShark. During the module, you will be using TShark to capture files and other data from the .pcap file.

2. PCAP Analysis

Without an input file, TShark simply acts like tcpdump. It will capture traffic from the first available network and display its packets to standard output. Alternatively, you can use the -r flag to specify the network capture file

tshark -r network_capture.pcap

This may seem complicated, but remember that the command-line output of TShark mirrors the Wireshark interface! The fields from left to right in the command line output are:

Packet numberTimeSourceDestinationProtocolLengthInfo

35

29.947879

192.168.0.55

192.168.0.91

HTTP

423

HTTP/1.1 200 OK

The Time field shows when the packet was captured. The Source and Destination fields show the source IP and destination IP of that packet. The Protocol field displays the protocol used. The Length field shows the length of the packet. And finally, the Info field displays any additional info about the packet.

You can filter these packet summaries by piping TShark's output into grep. For example, this command will output the packets with a “200 OK” HTTP status code.

tshark -r network.pcap | grep "200 OK"

3. Reveal IP address and find suspiscious file

Investigate the .pcap file with TShark:

The .pcap file location is /home/student/capture3.pcap.

  • The suspicious file you need to investigate is named upgrade-windows-defender.exe.

  • You are currently interested in HTTP traffic

How many times has the malicious file been downloaded in the network?

Name one of the IP addresses where the malicious file was downloaded from.

First we have to set a filter:

http.request.method == GET	# Filter out all GET http requests

With just that filter alone, we can't see anything interessting so far, because there are to many http get requests in that capture:

Beside the http get request filter we can grep the name of the suspiscious file:

tshark -r /home/student/capture3.pcap "http.request.method==GET" | grep "upgrade-windows-defender.exe"

As we can see the suspiscious file was downloaded 10 times and one of the IP's where the file was downloaded from is: 113.10.152.202

4. Extract the file from pcap

In a previous exercise I did allready learn different methods howto extract files from a tcp dump file. In this case I'll use tshark to extract files relating to http. It's not possible to extract just a single file. I've to extract everything:

tshark -r network.pcap --export-objects http,/home/student

I'll grep for upgrade-windows-defender and I'll also take the md5 hashes.

Just a short analysis from virustotal shows that the file is maliscious!

5. Find passwords

You can also specify the output format for the decoded packet data using the -T flag. For example, this command will display all HTTP GET requests in JSON format.

tshark -r network.pcap -T json "http.request.method==GET"

Finally, you can process the output from TShark by piping it into other command-line tools such as grep.

Since your preliminary investigation on the virus is done, you decide to analyze the rest of the .pcap file to see if everything is secure and the traffic encrypted. If malware has been moving around in the network you should make sure that there are no plain text passwords moving around as well.

You remember that you can easily filter what you are looking for in the .pcap file. When dealing with passwords, you need to filter for POST requests.

Investigate the .pcap file further with TShark and answer the questions:

  1. What is the password used by the user MozellRobel-EiZ?

  2. What is the password for the user Manager?

  3. What is Archie Shepherd's username?

To get the password of the user MozellRobel-EiZ, run:

tshark -r capture3.pcap -T json "http.request.method == POST && http.file_data contains MozellRobel-EiZ" | grep password

To get the password of the user Manager, run:

tshark -r capture3.pcap -T json "http.request.method == POST && http.file_data contains Manager" | grep password

To get the username of Archie Shepherd, run:

tshark -r capture3.pcap -T json "http.request.method == POST && http.file_data contains Shepherd" | grep username

Last updated