Wireshark fits nicely in any toolbox of the network forensic analyst and ethical hacker. From hundreds of dissectors that decode the protocol and application fields, to the customization capability that enables you to find that one item of interest in a sea of packets, Wireshark gives you all the necessary insights into traffic. “Wireshark for Hackers” will be a two-part series (5 hacks each) where we will attempt to turn your crawl turns into a walk… and maybe even a little swagger.
In Part I, we will start with some less-sexy baseline and passive discovery hacks with Wireshark. They’re necessary skills, but they won’t be included in a top-ranked film anytime soon. We will then detect unsecured and suspicious traffic on the network and later reassemble some of the suspect traffic elements. Then stay tuned for Part II next month, where we’ll force Wireshark to properly dissect traffic that is using a non-standard port number and add some columns to speed up the detection of a malicious HTTP redirection. We will finish up by decrypting TLS traffic and creating a trace file that contains an embedded TLS session key.
NOTE: Trace files referenced in this article can be downloaded from my online trace file library. Visit https://www.chappell-university.com/traces for instructions to access the Chappell University Trace File Library.
There’s a lot that Wireshark can do for the ethical hacker, so let’s get started on the first 5!
Hack #1: Baseline Your Traffic
No, it’s not very sexy, but baselining is a necessary skill for any network analyst.
Baselining is the process of capturing and identifying the “normal” traffic on a network. This traffic may include the auto-update applications on a network, a myriad of broadcast and multicast traffic streams, auto-detect applications scrounging around the network unnecessarily, and more.
Baselining (Read more...)
*** This is a Security Bloggers Network syndicated blog from The Ethical Hacker Network authored by Laura Chappell. Read the original post at: http://feedproxy.google.com/~r/eh-net/~3/0ALlLxDXpg0/