Beginners Guide to TShark (Part 2)

In the previous article, we learned about the basic functionalities of this wonderful tool called TShark. If you haven’t read it until now. Click here.

TL; DR

In this part, we will the Statistical Functionalities of TShark. We will understand different ways in which we can sort our traffic capture so that we can analyse it faster and effectively.

Table of Content

  • Statistical Options
  • Protocol Hierarchy Statistics
  • Read Filter Analysis
  • Endpoints Analysis
  • Conversation Analysis
  • Expert Mode Analysis
  • Packet Distribution Tree
  • Packet Length Tree
  • Color Based Output Analysis
  • Ring Buffer Analysis
  • Auto-Stop
    • Duration
    • File Size
  • Data-Link Types

Statistical Options

TShark collects different types of Statistics and displays their result after finishing the reading of the captured file. To accomplish this, we will be using the “-z” parameter with TShark. Initially, to learn about all the different options inside the “-z” parameter, we will be running the TShark with the “-z” parameter followed by the help keyword. This gives us an exhaustive list of various supported formats as shown in the image given below.

Protocol Hierarchy Statistics

Using the TShark we can create a Protocol based Hierarchy Statistics listing the number of packets and bytes using the “io,phs” option in the “-z” parameter. In the case where no filter is given after the “io,phs” option, the statistics will be calculated for all the packets in the scope. But if a specific filter is provided than the TShark will calculate statistics for those packets that match the filter provided by the user. For our demonstration, we first captured some traffic and wrote the contents on a pcap file using the techniques that we learned in part 1 of this article series. Then we will be taking the traffic from the file, and then sort the data into a Protocol Hierarchy.  Here we can observe that we have the frames count, size of packets in bytes and the Protocol used for the transmission.

Read Filter Analysis

During the first pass analysis of the packet, the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) has to be applied. Packets which are not matching the filter are not considered for future passes. This parameter makes sense with multiple passes. Note that forward-looking fields such as ‘response in frame #’ cannot be used with this filter since they will not have been calculated when this filter is applied. The “-2” parameter performs a two-pass analysis. This causes TShark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, it also permits reassembly frame dependencies to be calculated correctly. Here we can see two different analysis one of them is first-pass analysis and the latter is the two-pass analysis.

Endpoints Analysis

Our next option which helps us with the statistics is the “endpoints”. It will create a table that will list all endpoints that could be seen in the capture. The type function which can be used with the endpoint option will specify the endpoint type for which we want to generate the statistics.

The list of Endpoints that are supported by TShark is:

Sno. Filter Description
1 “bluetooth” Bluetooth Addresses
2 “eth” Ethernet Addresses
3 “fc” Fiber Channel Addresses
4 “fddi” FDDI Addresses
5 “ip” IPv4 Addresses
6 “ipv6” IPv6 Addresses
7 “ipx” IPX Addresses
8 “jxta” JXTS Addresses
9 “ncp” NCP Addresses
10 “rsvp” RSVP Addresses
11 “sctp” SCTP Addresses
12 “tcp” TCP/IP socket pairs Both IPv4 and IPv6 supported
13 “tr” Token Ring Addresses
14 “usb” USB Addresses
15 “udp” UDP/IP socket pairs Both IPv4 and IPv6 supported
16 “wlan” IEEE 802.11 addresses

In case that we have specified the filter option then the statistics calculations are done for that particular specified filter. The table like the one generated in the image shown below is generated by picking up single line form each conversation and displayed against the number of packets per byte in each direction as well as the total number of packets per byte. This table is by default sorted according to the total number of frames.

Conversation Analysis

Let’s move on to the next option which is quite similar to the previous option. It helps us with the statistics is the “conversation”. It will create a table that will list all conversation that could be seen in the capture. The type function which can be used with the conversation option will specify the conversation type for which we want to generate the statistics.

If we have specified the filter option then the statistics calculations are done for that particular specified filter. The table generated by picking up single line form each conversation and displayed against the number of packets per byte in each direction, the total number of packets per byte as well as the direction of the conversation travel. This table is by default sorted according to the total number of frames.

Expert Mode Analysis

The TShark Statistics Module have an Expert Mode. It collects a huge amount of data based on Expert Info and then prints this information in a specific order. All this data is grouped in the sets of severity like Errors, Warnings, etc., We can use the expert mode with a particular protocol as well. In that case, it will display all the expert items of that particular protocol.

Packet Distribution Tree

In this option, we take the traffic form a packet and then drive it through the “http,tree” option under the “-z” parameter to count the number of the HTTP requests, their mods as well as the status code. This is a rather modular approach that is very easy to understand and analyse. Here in our case, we took the packet that we captured earlier and then drove it through the tree option that gave us the Information that a total of 126 requests were generated out of which 14 gave back the “200 OK”. It means that the rest of them either gave back an error or were redirected to another server giving back a 3XX series status code.

Packet Length Tree

As long as we are talking about the Tree option, let’s explore it a bit. We have a large variety of ways in which we can use the tree option in combination with other option. To demonstrate that, we decided to use the packet length option with the tree option. This will sort the data on the basis of the size of the packets and then generate a table with it. Now, this table will not only consist of the length of the packets, but it will also have the count of the packet. The minimum value of the length in the range of the size of the packets. It will also calculate the size as well as the Percentage of the packets inside the range of packet length

Color Based Output Analysis

Note: Your terminal must support color output in order for this option to work correctly.

We can enable the coloring of packets according to standard Wireshark color filters. On Windows, colors are limited to the standard console character attribute colors. In this option, we can set up the colors according to the display filter. This helps in quickly locating a specific packet in the bunch of similar packets. It also helps in locating Handshakes in communication traffic. This can be enabled using the following command.

Ring Buffer Analysis

By default, the TShark to runs in the “multiple files” mode. In this mode, the TShark writes into several capture files. When the first capture file fills up to a certain capacity, the TShark switches to the next file and so on. The file names that we want to create can be stated using the -w parameter. The number of files, creation data and creation time will be concatenated with the name provided next to -w parameter to form the complete name of the file.

The files option will fill up new files until the number of files is specified. at that moment the TShark will discard data in the first file and start writing to that file and so on. If the files option is not set, new files filled up until one of the captures stops conditions matches or until the disk is full.

There are a lot of criteria upon which the ring buffer works but, in our demonstration, we used 2 of them. Files and the Filesize.

files: value begin again with the first file after value number of files were written (form a ring buffer). This value must be less than 100000.

filesize: value switches to the next file after it reaches a size of value kB. Note that the file size is limited to a maximum value of 2 GiB.

Auto-Stop

Under the huge array of the options, we have one option called auto-stop. As the name tells us that it will stop the traffic capture after the criteria are matched.

Duration

We have a couple of options, in our demonstration, we used the duration criteria. We specified the duration to 10. This value is in seconds. So, the capture tells us that in the time of 10 seconds, we captured 9 packets.

File Size

Now another criterion for the auto-stop option is the file size. The TShark will stop writing to the specified capture file after it reaches a size provided by the user. In our demonstration, we set the filesize to 1. This value is in kB. We used the directory listing command to show that the capture was terminated as soon as the file reached the size of 1 kB.

Data-Link Types

At last, we can also modify the statistics of the captured traffic data based on the Data-Link Types. For that we will have to use an independent parameter, “-L”. In our demonstration, we used the “-L” parameter to show that we have data links like EN10MB specified for the Ethernet Traffic and others.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Steal Windows Password using FakeLogonScreen

In this article, we are going to focus on a tool that caught my attention. This is a tool that creates a fake Windows Logon Screen and then forces the user to enter the correct credentials and then relay the credentials to the attacker. It can work in different scenarios.

This tool was developed by Arris Huijgen. I have already talked about the working of the tool. It doesn’t do much other than that.  To better understand the working of this tool, I will be performing a practical on the said tool using the systems configured as depicted.

Download the executables for the practical by clicking here.

Table of Content

  • Configurations used in Practical
  • Scenario
  • Payload Creation
  • Starting Listener
  • Uploading the FakeLogonScreen Executable
  • Credentials Entering on Target Side
  • Grabbing the Credentials
  • Additional Information
  • Mitigations

Configurations used in Practical

Attacker:

    OS: Kali Linux 2020.1

    IP: 192.168.1.13

Target:

    OS: Windows 10 (Build 18363)

    IP: 192.168.1.11

Scenario

There is a system that is connected to the same network as the attacker and the attacker is hunting for the credentials of the Target System. The Information that the target already has is the IP Address and the knowledge of the OS system. This kind of information is quite easy to get by.

Payload Creation

Now, to get started I used the msfvenom tool to craft a payload according to the OS of my Target System. I provided my Kali’s IP Address as the LHOST. As the target machine was running Windows, I made my payload an executable file that can be executed easily. After crafting the payload, I ran a Python One-liner to create an HTTP server which will host the payload at the port 80 of the target machine.

Now in a real-life scenario, the attacker will use some kind of Social Engineering Attack to manipulate the target user to download this malicious payload on their system. This can be done long before performing the actual attack.

Starting Listener

Since we have our payload ready and hosted. Now we need to start a listener where we will receive our session from the payload. After setting up the proper configuration, I went straight up to the Target Machine and executed the payload. Again, this is a lab environment demonstration. Real-Life Scenarios will vary. 

Uploading the FakeLogonScreen Executable

After getting the meterpreter session, we upload the FakeLogonScreen.exe to the Target System. This executable can be found in the directory that is cloned. After successful upload, we get onto the command line of the target machine using the shell command. Now we run the executable as shown in the image given.

Credentials Entering on Target Side

As soon as we ran the executable through the shell, all the current windows on the Target System get minimized and a login screen pops up as shown in the image given. This seems a pretty real logon screen. The target user assumes that there must be an accidental log off. So, to assume his/her work, the target user unknowingly enters the credentials.

Now to demonstrate that the password is checked, we first entered the wrong credentials. The Logon Screen gave back an error “The password is incorrect. Try again”. This proves that the target user has to enter the valid credentials to get through.

Next, we entered the valid credentials and we see that all the minimized windows are restored back to the way they were.

Grabbing the Credentials

Let’s head back to our attacker machine to see if we were able to grab those passwords. As shown in the image given below, we see that the FakeLogonScreen listener works similar to a key logger. We first entered the “wrong password” in the password field to check the false cases. Then we entered the correct password “123” and we successfully grabbed the password for the target user.

Additional Information

I contacted the author of this tool to find out how effective this tool works in multiple desktop setups. When executed in multiple desktop setups, all the other desktop screen turns black. Also if the target user has configured a customized background, then that customized background is shown. This is a plus point in an office environment as those systems have a custom company image for Logon Screen.

We also have another executable in the zip file we downloaded earlier. It is named “FakeLogonScreenToFile.exe”. This file works in a similar way but along-with displaying the password, it stores the password at the following location:

%LOCALAPPDATA%\Microsoft\user.db

This tool also works on Windows 7. Although it has reached its EOL still there are a huge number of systems that are running Windows 7 on the Production. If required, it can be found inside the “DOTNET35” directory.

You can also integrate this tool to work with Cobalt Strike. Check out here.

Mitigations

  • Verify Download Sources.
  • Monitor the AppData Directory for the user.db file.
  • Properly check all the links in the Logon Screen.
  • Implement a Password Change Policy of a shorter duration.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Beginners Guide to TShark (Part 1)

In this article, we will learn about TShark which is a well-known network protocol analyzer. It lets us capture the data packets, from the live network. It also allows us, to read or analyze the previously captured data packets of a saved file.

Table of content

  • Network traffic
  • Introduction to TShark
  • List interfaces
  • Capture traffic
  • Capture the interface in promiscuous mode
  • Capture the packet count
  • Read and Write in a file
  • Verbose mode
  • Output Formats
  • Difference between decoded packets and encoded packets
  • Converting PDML file HTML page
  • Capturing packets of a particular port
  • Display filter

Network traffic

As we know, network traffic or data traffic is the amount of data transferring across the network at some given point of time. Network data, in computer networks, is in the form of network data packets. Analyzing these network packets provides network security as it helps us to monitor traffic. As a benefit, if there is some unusual amount of data traffic in a network which is a possible sign of an attack then Tshark can help us know before it too late and the attack can be terminated as data traffic reports provide insights into preventing some good attacks.

Traffic volume is a term which comes under network traffic analyzing. Network traffic volume is the measure of the total work done. It is defined as the average data traffic intensity and time period of its network data packet study.

Introduction to TShark

Tshark, a well known and powerful command-line tool and is used as a network analyzer. It is developed by Wireshark. It’s working structure is quite similar to Tcpdump, but it has some powerful decoders and filters. TShark is capable of capturing the data packets information of different network layers and display them in different formats.

TShark is used to analyze real-time network traffic and it can read .pcap files to analyze the information, dig into the details of those connections, helping security professionals to identify their network problem.

TShark is a command-line based tool, which can do anything that Wireshark does. So let us start our learning process with TShark and therefore launch this tool and explore its options. To check out all the parameters, use the following command :

List interfaces

TShark prints a list of the interfaces whose traffic it can capture. Each interface is referred to by their serial number and as you can see it is followed by a text description of the network interface. These interfaces can be specified using -i parameter; which is used to specify the network whose traffic we want to capture. And to check out these interfaces you can use the parameter -D as shown in the image below :

Capture traffic

Let’s now try to capture traffic, we have various choice of interface to capture traffic and therefore one can choose whichever depending on their needs and requirement. But in our scenario, the interface which we are going to use is “eth0”. In order to capture traffic, we need to initiate one too as we are testing on a controlled network and for that use ping command and then to capture traffic we have to just specify the interface name by using -i parameter as shown in the image below :

As we can clearly see it is performing its three-way handshake, then starts the process of ICMP request and reply.

Promiscuous mode

In the networking, promiscuous mode is used as an interface controller that causes tshark to pass all the traffic it receives to the CPU rather than passing the frames to the promiscuous mode is normally used for packet sniffing that can take place on a router or on a computer connected to a wired network or a part of LAN.

When using this mode, we will need to configure it with the help of ifconfig so that it let us capture the data packets of the whole network. Therefore, we will start by pinging a website and try to capture its data packets.

Now, configure the promiscuous mode by following these commands and try to capture the packets :

Packet count

Tshark has amazing features with which we can work more efficiently and we can access these features using various parameters. One such parameter is ‘-c’, it lets us capture the exact amount of data that we require and it will display only those. This option helps us to refine the outcome of captured traffic.

As we can clearly see in the image above that it stops after the 10 counts.

Read and Write in a file

In Tshark we can write and read into .pcap file. Write option (-w) allows us to write raw packet data output to a standard .pcap file whereas read option (-r) help us to read that raw output data packets in our desired manner. To write the packets into a .pcap file use the following command :

And to read the said .pcap file use the following command :

Verbose mode

The verbose mode provides us with additional details of a packet in traffic. Using the verbose mode, we can see the information that each packet contains and for this option we can use the parameter -V.

Output formats

For our convenience, in tshark, we have -T option that lets us save decoded packets in various output formats. It can set the format of the output in the way that it becomes easy to understand. To see all the available options type the following command :

PDML

PDML stands for Packet Details Mark-Up Language which is an XML based. This information is quite equivalent to the verbose mode which we used earlier. And to have output in this format type the following command :

PS

PS stands for PostScript. This output is in a form of oneliner summary of each data packets or multi-line detail view of each data packets depending upon each data packet specification. These one-liners are very quick to understand as well as reliable. For this, use the following command :

PSML

PSML stands for Packet Summary Mark-Up Language. It is also an XML based format like PDML which summarises the detailed information of the packets. And for this format type :

JSON

JSON stands for Java-Script Object Notation. It is an open standard file format that displays text in a readable form. The information in this format is fully documented and referred at wolfram. To see that packets in this format, type :

EK

It is newline delimited JSON format function for bulk import into the elastic search option. And for this format use the following command :

Text

Text is a human-readable one lines summary of each of the packets. This is the simplest of the formats. And for this, use the following command :

Tabs

This option is quite similar to the text except, it includes an ASCII horizontal tab (oxo9) character as the delimiter between each column. To try this, type :

 

Difference between decoded packets and encoded packets

When we try to write the live data packets in a .pcap format file; we compress all that data packets in smaller segments. To better understand these data packets we need to decode them which leads to a difference in the size of the file and to check the size of any given file at the given moment use the following command :

Like we discussed there is a huge difference in these files, that’s why we use decoding techniques to extract this information.

Converting PDML file HTML page

The only difference between the Wireshark and tshark is that Wireshark is a GUI based tool and tshark is a command-line based tool. But with the help of some external source, we can also view our data packets in HTML. So to achieve that first, we need to save our data packets in PDML format and then convert it into an XML file using the following command :

The XML file will be saved at location /usr/share/wireshark/pdml2html.xsl. So, we are going to use xsltproc tool to execute this file it which will help us to create our HTML page. Creating the HTML page will format all the unnecessary information and only let us view the usable data. To create the HTML use following command 

To open the HTML page in the browser, refer to the above image and use the following command :

Capturing packets of a particular port

A lot of times we use Wireshark on a dedicated port. And by using the -f option we can capture data packets of a particular port. It helps us to better analyze the data packets of the network. We are using this feature to capture TCP port 80 and the command for this is :

Display filter

Display filter was introduced by Wireshark. It helps us to filter the captured data packets or live data packets. With the help of this filter, we can request for any kind of filter that we want to capture in the live environment.

In our scenario, we apply the GET request filter to capture only GET request from the traffic and for, use the following command :

Conclusion

This article focuses on the basic commands and functionality of tshark as it is the first article in the series. So get yourself familiar with the features of it as and stay tuned for the advance features of tshark in our next article.

Author: Shubham Sharma is a Pentester, Cybersecurity Researcher and Enthusiast, contact here.

Multiple Ways to Persistence on Windows 10 with Metasploit

In this article, you will learn the multiple ways to maintain access or create a persistent backdoor with the help of the Metasploit Framework on the host machine which you have compromised.

Table of Content

Persistence Backdoor

Pre-requisites

Methods for Generating persistence using Metasploit

  • Persistence_service
  • Mitigation method for persistence_service exploit.
  • Persistence_exe
  • Mitigation method for persistence_exe exploit.
  • Registry_persistence
  • Mitigation method for Registry_persistence exploit.
  • Persistence through Netcat.
  • Persistence through Remote Desktop Protocol.

 Conclusion

Persistence Backdoor

The word Persistence is simply known as permanent hence in this post, we are sharing the multiple methods to generate a permanent backdoor within the victim machine.

As there is a lot of hard work required to exploit any system and once the system is exploited successfully you need more time for further examine or penetrate the victim’s system but at that time if victim shut down his system or changed the credentials then all your hard work will be spoiled. That’s why maintaining access is an important phase of penetration testing. Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials and other interruptions that could cut off their access.

Pre-requisites

Window 10 -Victim System

Kali Linux – Attacker (Metasploit Framework)

Note: For creating a persistence backdoor, you should have a compromised machine of the victim with meterpreter session to continue all practices that are taught in this post.

Methods for Generating persistence using Metasploit

Let’s start, we already have compromised the window 10 (victim’s PC) and have meterpreter session along with the admin rights. To know how to get admin access click here. Now, we want to leave a permanent backdoor in the victim system that will provide a reverse connection for the next time.

Service Persistence

This Module will generate and upload an executable to a remote host, next will make it a persistent service. It will create a new service which will start the payload whenever the service is running. Admin or system privilege is required.

Thus, we will run the following commands on Kali Linux to run the above-listed module:

Above said module which will generate and upload an executable on the victim’s system under the /temp directory as  “lVFC.exe” and will make it a persistence service.

If the victim reboots the system, the previous meterpreter session will be closed. Only we need to set up the multi handler to run the payload by using the following commands:

Once the victim system starts, automatically we will gain the meterpreter session again.

When the PC is started automatically some of its services starts by default so persistence_service exploit creates a new service that will start the payload whenever the service is running. In the below image you can see the executable file IVFC.exe is running under username System and we can verify its path.

C:/Windows/Temp/IVFC.exe

Mitigation method for persistence_service exploit

First of all, identify the unfamiliar files which are running and then stop the running executable format file i.e. IVFC.exe and delete it from the temp directory.

Persistence_exe

This is the second method to maintain access to the victim’s PC. Under this scenario, we already have meterpreter session of the victim’s PC and it has user access.

This module will upload an executable to the victim’s system and make it persistent. It can be installed as a user, system or service. We will use this module by using the session 1(already compromised system’session) and set the rexpath (remote executable path), through this payload file will create on victim’s PC but due to persistence script, it will save under temp directory with default.exe name(change the name under rexname option ) and will set it to autorun under the registry path mentioned in below image.

 To run this module, type the following commands:

After, successful execution of the above module, now we have to set up the multi handle by using the following command:

Once the victim reboots its PC and the login into it, automatically we will get the meterpreter session.

In the below image you can see the function of persistence_exe, which will create the autorun service under the registry editor path:

due to which service will start running as soon as the victim’s PC starts. Its default file creates under the temp directory.

Mitigation Method for Persistence_exe

First, remove the entry from the registry editor under the path:

And then delete the executable payload file under the temp directory and reboot the system.

Registry Persistence

A registry is the core part of the window and contains a surplus of raw data. Attackers love to choose windows registry locations to hook their codes so that files or codes cannot be detected by scans for suspicious activities.

This module will install a payload that is executed during boot. It will be executed either at user logon or system startup via the registry value in “CurrentVersion\Run” (depending on privilege and selected method). The payload will be installed completely in the registry.

Since we already have compromised the victim’s Pc and have the meterpreter session along with the user privileges. Use the following command to execute the registry persistence.

Once the exploit executed, it will create a registry key under HKCU\software\wl4cN9w and installed key as highlighted in the image.

If the victim reboots the system, meterpreter session will dead get the session again just set up the multi handler payload and execute it.

Once the victim’s machine will start and as the victim will log in into the system, automatically we will get the meterpreter session again due to the autorun script under the registry which is installed by the attacker. Successfully registry _persistence is executed.

Through the below image you can verify the path of registry key created by registry_persistence exploit.

Persistence through Netcat

Netcat or nc is a utility tool that uses TCP and UDP connections to read and write in a network. It can be used for both attack and security. In the case of attack, it can be driven by scripts which makes it quite dependable back-end and if we talk about security, it helps us to debug the network along with investing it. To read more about netcat please refer https://www.hackingarticles.in/comprehensive-guide-on-netcat/.

Now we are going to make a persistence Netcat backdoor on the compromised system. As we already have meterpreter session, upload netcat.exe into system32 file of victim’s pc by using the following command:

The next step is to set the netcat to listen on the random port i.e.4445, open the port on startup and make the connection.

Use the following command:

On successful netcat connection, we get the shell of the victim’s PC.

We will add the new rule in the firewall named as ‘netcat’ in which inbound connection will allow for port 4445 by using the interactive cmd prompt running a command called netsh. Type the following command:

To check the operational mode and port status run the command:

When the victim reboots the system again, we will get the netcat shell. On Kali Linux(attacker system) run the following command to connect our netcat backdoor via port 4445.

Persistence through RDP

After having the meterpreter session of the already compromised targeted system. We will utilize Carlos Perez’s getgui script which enables Remote Desktop and creates a user account to login to it.

Username: Nisha

Password: 123

Run the following command:

With the help of the following module, it is possible to apply the ‘sticky keys’ hack to a session with appropriate rights. The hack provides a means to get a SYSTEM shell using UI-level interaction at an RDP login screen or via a UAC confirmation dialog.

As you can see here that we sticky is added successfully, now to launch the exploit at an RDP or UAC by press shift key 5 times.

Now we will check the connection using rdesktop and review the certificate and type Yes. By using the following command

Congrats !!! finally we get the Gui mode of the victim’s system.

 Conclusion

Persistence does not require any authentication to connect with the victim’s system. To complete the penetration testing, always remember to clean up the processes and the backdoor services on the victim’s host.

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here