As a network or security professional, working with PCAPs comes with the territory. Some CTFs also include PCAP challenges, and while Wireshark is the software of choice for some people, learning other tools can help get the flag quickly. In this post, I will cover command-line utilities one can use when working with PCAPs.
This post contains affiliate links. If you use these links to buy something I may earn a commission. Full disclosure here.
Misspelled user agent
In one of the CTFs I participated in, the task was to find misspelled user agent string. You can do this with Wireshark, but Tshark and Linux command-line utilities make it quicker to get the answer. In this example, I am looking for misspelled Mozilla user agent string.
andrew@kali:~$ tshark -nr sample.pcap -Y 'http' -T fields -e http.user_agent | sort -u | grep -vi "mozilla" | grep -i "^mo" Mozila/5.0 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
Let me explain some of the commands. I will only explain the Linux command-line utilities I did not cover in my previous post. The -n disables name resolutions, and the -r is to read the specified PCAP file.
The second part of the Tshark syntax specifies the display filter and fields I am only interested in. Using the -Y command option allows the user to use the display filter. In this case, I used HTTP as the display filter.
When analyzing HTTP, there are multiple fields that I can encounter and one of which is the user agent. The -T allows the user to specify text format output, and the -e command option tells Tshark which field I am interested in.
| Want to learn Wireshark? Buy Practical Packet Analysis book. |
The grep command-line utility allows the user to print lines that match patterns. In the first grep command, the -v specifies that I am only interested in output with no Mozilla in the result. Using the -i command option ignores the case distinctions in patterns.
In the second grep, I am telling the grep command that I am only interested in output that starts with mo (case insensitive). The ^ character is a regular expression that matches the start of a line or a particular string.
Oldest kernel
In this example, the CTF challenge’s task is to find the oldest Windows kernel in the packet capture file. There are multiple ways to approach this, and I am showing you two different approaches to tackle this. The first approach is by using the strings command-line utility. By the way, you can use the tshark command as well.
andrew@kali:~$ strings sample.pcap | grep 'Windows NT' User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0) <-- Output omitted by brevity -->
The last Windows NT line shown above does not align with the others, so I cannot use the cut command-line utility since it has to align perfectly. That said, I have to use a different way to filter that field and sort the output. For this task, I can use the sed command-line utility, which allows the user to filter and transform text. I rarely use this command, but it came in handy with the FreeRADIUS Dockerfile I wrote, which I covered here.
andrew@kali:~$ strings sample.pcap | grep 'Windows NT' | sed 's/^.*Windows NT/Windows NT/g' Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36 Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0 Windows NT 6.0; Trident/4.0) <-- Output omitted for brevity -->
Using the s (substitution) in sed is equivalent to find and replace. The first field is what you want to search for, and the second is the term you want to replace it with. In this case, I used another example of regular expression (^.*), which tells the sed command-line utility to search for lines that start with any character zero or more times followed by Windows NT and replace those characters with Windows NT only.
Now that everything is aligned, I can use Linux command-line utilities, such as cut and sort, to display only the Windows NT version.
andrew@kali:~$ strings sample.pcap | grep 'Windows NT' | sed 's/^.*Windows NT/Windows NT/g' | cut -d ' ' -f3 | sed 's/[;)]//g' | sort -u 10.0 5.1 5.2 6.0 6.1 6.2
Again, I used the sed command-line utility to remove the ; and ) characters. It is technically unnecessary, but I wanted to show another example of regex usage.
Alternative solution
Alternatively, one can use the ngrep command-line utility, which provides grep-like capabilities for the network layer of the OSI model. As seen below, I can get the same output as using the strings command-line utility.
andrew@kali:~$ ngrep -I sample.pcap 'Windows NT' -q -W byline | grep 'User-Agent' | sed 's/^.*Windows NT/Windows NT/g' | cut -d ' ' -f3 | sed 's/[;)]//g' | sort -u 10.0 5.1 5.2 6.0 6.1 6.2
The -I command option allows the user to read a PCAP file. Next in the command syntax is the Windows NT keyword. Essentially, I am querying the PCAP file for a string match of Windows NT. Then, I used the -q command option to display only packet headers. Furthermore, I used the -W byline command option to display a legible and easy-to-understand output.
Encryption
The next challenge requires the decryption of the traffic to get the answer. It is easy to perform this on Wireshark, but this post is about using CLI. With that said, I will keep using Tshark to read the PCAP file, but this time I will specify the RSA key. The challenge is asking for the script’s name used to make an unauthorized HTTP POST coming from 192.168.127.25.
andrew@kali:~$ tshark -nr sample.pcap -Y "ip.addr == 192.168.127.25 and http" -ouat:rsa_keys:'"rsa.key",""' | grep POST 19781 22004.103973 192.168.127.25 → 46.101.44.117 HTTP 635 POST /xmlrpc.php HTTP/1.1
Conversations
There are times when I have used statistics during CTF events and in the real world. It helps me determine what kind of traffic is in the packet capture. While you can perform this on Wireshark, it takes a long time to load the file when it contains a lot of packets. Additionally, it also takes time when viewing statistics information. With Tshark, the tool allows you to view the statistics quickly, unlike Wireshark.
| Want to be Wireshark certified? Buy Wireshark Network Analysis book. |
In this example, the CTF challenge tasking participants to find the IP address of the most traffic in the PCAP file. In Wireshark, you need to go to Statistics > Conversations > IPv4, then sort it to display the highest byte count. With Tshark, you use the -q and -z command options.
andrew@kali:~$ tshark -nr sample.pcap -qz conv,ip | head ================================================================================ IPv4 Conversations Filter:| <- | | -> | | Total | Relative | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | Start | | 24.225.193.197 <-> 46.101.44.117 18871 3,290kB 21535 3,901kB 40406 7,191kB 155582.399798000 410.7425 45.40.196.167 <-> 46.101.44.117 1182 590kB 2071 390kB 3253 981kB 164041.389207000 649.3304 46.101.44.117 <-> 67.207.67.3 1224 171kB 1516 161kB 2740 332kB 799.033946000 235581.6340 46.101.44.117 <-> 167.71.64.94 1463 221kB 1200 301kB 2663 522kB 54494.079784000 13323.5098 46.101.44.117 <-> 173.89.247.106 1054 158kB 895 174kB 1949 333kB 107340.771411000 74.9751
The -q command option will suppress the packet summary or details output. Using the -z command option will display various types of statistics after finishing reading the PCAP file. The conv command option creates a table that lists all conversations in the capture. Using the ip command option allows me to specify I am only interested in IPv4 addresses as the endpoint type for which I want to generate the statistics.
Last example
In this last example, the challenge’s task is to find the flag in one of the MySQL traffic. Since I am curious about the protocol hierarchy statistics, I will issue the Tshark command with command options that display it.
andrew@kali:~$ tshark -nr sample.pcap -qz io,phs,mysql
===================================================================
Protocol Hierarchy Statistics
Filter: mysql
sll frames:1767 bytes:285135
ip frames:1767 bytes:285135
tcp frames:1767 bytes:285135
mysql frames:1767 bytes:285135
_ws.malformed frames:7 bytes:1731
mysql frames:3 bytes:1443
mysql frames:3 bytes:1443
mysql frames:3 bytes:1443
mysql frames:3 bytes:1443
mysql frames:3 bytes:1443
_ws.malformed frames:3 bytes:1443
mysql frames:3 bytes:1443
===================================================================
Using the -io,phs,mysql command option, I am telling Tshark to create protocol hierarchy statistics listing with only MySQL-related traffic.
Since there are 1700-plus packets in the PCAP file, I need to filter the output with a keyword. In this particular event, the flag format has the CTF keyword, so I am using that as the keyword.
andrew@kali:~$ tshark -nr sample.pcap -xV -Y 'mysql' | grep -A2 -B2 CTF
0440 2f 62 69 6e 2f 66 61 6c 73 65 0a 73 75 70 70 6f /bin/false.suppo
0450 72 74 3a 78 3a 31 30 30 30 3a 31 30 30 30 3a 43 rt:x:1000:1000:C
0460 69 73 63 6f 43 54 46 7b 40 70 6f 72 74 63 75 6c iscoCTF{@portcul
0470 6c 69 73 6c 61 62 73 7d 3a 2f 68 6f 6d 65 2f 73 lislabs}:/home/s
0480 75 70 70 6f 72 74 3a 2f 62 69 6e 2f 73 68 0a 07 upport:/bin/sh..
The -x command option prints the hex and ASCII dump of the packet data, and the -V prints the packet details view. Since I am looking for a line that contains CTF, I used grep command-line utility. However, this time, I added -A2 and -B2, which means I want to see two lines before and after the keyword.
Final thoughts
With this post, I am only scratching the surface of packet analysis using the CLI. There are other Tshark command options that I did not tackle. I also did not include the tcpdump command, which one can use to read and analyze PCAP files. In any case, I believe this post can serve as a starting point to develop one’s CLI skills further.
You might like to read
BUY ME COFFEE ☕
Disclosure
AndrewRoderos.com is a participant of a few referral programs, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to company websites.
