Wireshark undervisning
Jeg tilbyder en 2 dag kursus i brugen af wireshark som omhandler
følgende:
Dag1:
- Networkforensic information
- Statistic
- Display filters
- Capture filters
- File Carving
- Opbygning af profiler
- Metodikker
- Support tools
Dag2:
- Demo
Metodikker og teknikker trænes.
- Gennemgang af networkforinsic sager fra det virkelige liv.
Skriv til mig for mere information kontakt.
IEC-104
IEC-104 is a transmission protocols used for things like
controlling a powergrid.
When analysing this protocol i can recommend the documentation
TR-IEC104. Be aware that
Wireshark do not interpet all element types. So this is the best it
can be for now.
JA3 and JA3S
When hunting for malware there are using TLS, then it is nice to know
the JA3 ore the JA3S of the TLS connection. This is possible with a
plugin from
Github.
I have made this aviable as an easy packet, to implement in your own
Wireshark here as a plugin. Be aware that this
ONLY covers TCP
port 443
Extract the
zip file and copy to
your Wireshark profiles folder "\AppData\Roaming\Wireshark"
I have also made a
Wireshark JA3
profile as well. This just needs to be implemented as a regular
profile.
IcedID TLS Inspection
Hunting for the malware framework IcedID it is nessary to look for
what names a certificate was issued with. Quite often it it a self
signed certificate with bogus names. like this on with the name
"localhost".
GQUIC
or QUIC Profile (Updated 01-10-2021)
Looking for information about QUIC ore GQUIC. The newest protocol
schould only be QUIC and was released in 2021 v.1. - GQUIC is
obsolete.
ICMP Profile
Hunting for ICMP tunneling is quite easy with this Wireshark
profile. Exampel of a pTunnel running below.
iSCSI
profile
Hunting for iSCSI auth traffic and authentications. Easy to spot
with this profile
DHCP Profile (Updated 03-01-2021)
Often you will hunt for a rough DHCP server placed on your network.
This profile will make this very easy.
Optimized for Wiresharek 3.x versions.
DNS Profile
This will make DNS identification easy and bring DNS traffic to life
in Wireshark
SMB Profile
(Many updates for this profile as of 02-01-2020)
This will bring the analysis of SMB, SMB2 and SMB3 network traffic
to life in Wireshark. What you typically is looking for, is right
there...
More information about MS implementation
here
DDOS profile
(Updated 03-03-2022)
Based on my work for an ISP and the manage of Advanced DDOS
mitigation. This is based on known DDOS attacks. You can analyze the
type of attack quite fast. Tested
Wireshark V2.6.3
Magic numbers profile
Based on file types and there magic numbers it is easy to look for
different file types in network traffic like exe files and so on,
hidden in network traffic. Tested Wireshark
V2.6.3
Geolite2 databases for Wireshark
Wireshark can do name resolution on
captured traffic.
To get the free updated
Maxmind databases you need to sign up for a profile first.
(please do so)
You can get an older Maxmind databease
from here.
Tools
ColarSoft Packet Replay
Colarsoft Packet Builder
Caploader
Moloch
Network Miner
Security Onion
SNORT IDS/IPS
SOF-ELK
SplitCap
Suricata IDS/IPS
TraceWrangler
Wazuh
Wireshark
Zeek
Forensic
report
Report
framework
Cheat
Sheets
Port numbers
IPv4 Subnetting
Network Forensics and Analysis Poster
Poster Find
Evidence
Poster Find Evil
Scapy
Security Onion
Sysmon
Tcpdump
VOIP Basics
Wireshark
Display Filters
BPF
Filter syntax
Enum
Kibana
Netsh
Trace
Nmap
nping
Nslookup SPF
OS
TTL Fingerprint
Port list
PowerShell Commands
Local LAN NET
bloks
SID
SMTP Relay
Tjek
Google Tips
T-Shark
USB Boot Disk
Wireshark
Blacknurse.dk
Netresec
Wikipedia
PDF File