Training 2015 - Wireshark WiFi and Lua-Packet Class
From BruCON 2016
Wireshark Wifi training
Wireshark is the number one network security tool according to SecTools.org top 125 Network Security Tools survey. But did you ever spend time to familiarize yourself with the many powerful features of this excellent security tool? If you did not, then now is your chance to learn as much as you can in this class and receive your complementary AirPcap adapter for Windows. The AirPcap adapter allows you to sniff WiFi traffic on Windows machines. You can keep this AirPcap adapter after the training.
This training is for the novice and intermediate Wireshark user.
- First, Didier will familiarize you with the user interface of Wireshark.
- Then, we will touch upon the art of capturing traffic. You might think that you just need to install Wireshark on your machine to capture traffic, but that is just one way to do it. We will also look at ways to capture traffic at different points in the network, using network devices and dedicated hardware.
- Learning about capture filters will help you control the size of your capture files on busy networks. Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.
- Colorizing traffic and using display filters (not to be confused with capture filters) are key in finding the interesting packets hiding in your capture files.
- Your head will spin when you see all the build-in statistics. Wireshark comes with many statistical reports that help you drill down into your captures. Many of these statistical tools support display filters, allowing you to customize your reports. And when we say reports, we talk about graphics too: Wireshark can produce graphical representations of your network traffic. When you master this feature, you will be able to grasp aspects of your network traffic with the blink of an eye.
- Data send over a network is split-up in several packets and can adopt many protocols. It can be a hard task figure out what all these packets mean. But Wireshark understands this and can reassemble these packets into streams so that you can view and extract the data you are interested in, so that you get an abstracted view and are no longer “lost in packets”.
- We will also learn about Wireshark's expert system, an often overlooked feature that can save you many hours of peaking at packets.
The AirPcap adapter allows you to capture WiFi traffic in monitor mode on Windows machines (normal WiFi adapters on Windows only support promiscuous mode). We will familiarize ourselves with the different options pof the AirPcap adapter. You will receive a couple of tools, for example to perform channel hopping with the AirPcap adapter. The AirPcap Classic USB adapter is a complementary device that is part of this training and becomes your property.
Once we are familiar with Wireshark's many important features, we will look at all types of traffic. Regular day-to-day traffic like DNS, TCP/IP, HTTP, SMTP, WLAN, … but, of course, also the irregular traffic like network scans (nmap anyone?) and network discovery, and traffic from hacker tools and malware like botnets. Network forensics is an important skill to master, and Wireshark is an essential tool to help you master this skill.
As an experienced Wireshark user, Didier has come to hit some limits of Wireshark, and has worked past these limitations using command-line tools like Tshark and specialized scripts. In this training, Didier will share with you how he has gone beyond “simple” Wireshark. For example, say that you have traffic captures worth a couple of Gigabytes. Just using Wireshark to look at this traffic becomes virtually impossible, unless you have an insanely specced-out machine that your boss will never give you. But using the right command-line tools, together with some specialized Python scripts, Didier will learn you how to take this hurdle. Wireshark can also be extended using the C and Lua programming languages. In this class, we will look into Lua taps and dissectors to help you analyze traffic that “pure” Wireshark does not understand. Wireshark dissectors are often designed to analyze a network protocol. Say you are reversing a botnet, then you can develop your own dissector that analyses the custom network protocol that the botnet uses to communicate between the C&C and the clients. But custom dissectors can help you even with known network protocols. For example, Didier will teach you the inner workings of a simple custom dissector he developed in Lua to analyze HTTP cookies. This simple dissector is very useful to filter-out traffic according to server sessions, like PHP or ASP sessions.
In a nutshell, this packed training will teach you both simple and advanced Wireshark skills that are essential for security professionals and hackers. You do not need any prior exposure to Wireshark to attend this training, but a basic understanding of networking is required. Programming in Lua is not a required skill for this training, we will explain all you need to know about Lua in this training. But some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine.
Key learning objectives
- Get a thorough overview of Wireshark's features
- Getting familiar with WiFi
- Learn how to customize Wireshark
- Learn how to script Wireshark
- Get familiar with the user interface of Wireshark
- WiFi with AirPcap
- The art of capturing traffic
- capture traffic at different points in the network
- using network devices to capture traffic
- using dedicated hardware to capture traffic
- Capture filters
- Knowing capture filters is an important skill for security professionals. Capture filters are not only used by Wireshark, but many other (security) tools you will encounter in your career.
- Display filters (not to be confused with capture filters)
- Colorizing traffic
- Build-in statistics
- customize with display filters
- Streams and data
- Wireshark's expert system
- Practical capture analysis
- Regular day-to-day traffic
- Irregular traffic
- network scans (nmap anyone?)
- network discovery
- traffic from hacker tools
- traffic from malware like botnets
- Network forensics
- Regular day-to-day traffic
- Command-line scripting with Tshark, Python and Lua
- Lua listeners
- Lua dissectors
- Use a Lua dissector generator
- Refactor existing Lua dissectors
- New protocol dissectors
- Post dissectors
A basic understanding of networking is required. Some basic scripting experience is useful, just not to feel overwhelmed when we discuss custom dissectors. If you know what an if-statement and a for-loop is, you will be fine.
A Windows laptop with the latest version of Wireshark installed and with Python 2.7. Administrative rights are useful to install some Python modules. If you don't have administrative rights, make sure that you can perform a capture and run Lua scripts. If you are in doubt, make sure that you have administrative rights. Make sure that there is no security software running that could interfere with capturing.
The AirPcap adapter only works for Windows. OSX and Linux machines don’t need this adapter, they can use the existing WiFi NIC in monitor mode. If you have no other option, you can bring an OSX or Linux machine to the class, but then you won’t be able to use the AirPcap adapter.
Didier Stevens (Security Consultant, Didier Stevens Labs, Contraste Europe NV) is an IT security professional well known for his security and forensic tools, like the Network Appliance Forensic Toolkit (NAFT). Didier is an experienced Wireshark user, he started using it when it was still known as Ethereal.
Didier holds many IT certifications, is a Microsoft MVP Security and SANS ISC Handler. Relevant to this training are his WCNA certification (Wireshark Certified Network Analyst) and CCNP/Security certification (Cisco Certified Networking Professional). You can find his tools on his security blog (see below)
More information is available on Didier Stevens Blog
Mon. 5 - 6 October 2015 (09:00 - 17:00)