Wireshark

Task
Wireshark Usage

Find the URL with a 200 OK Response

Apply HTTP filter: http.response.code == 200.

Look at the "Host" and "Request URI" fields in the HTTP packets to determine the full URL accessed.=

Find the IP and MAC of an Infected Windows Client

Find the victim’s IP by filtering DHCP traffic:

  • dhcp or bootp

  • Look for the Assigned IP address in the DHCP ACK packet.

Find the MAC address:

  • Filter using arp

  • Identify the MAC address associated with the victim’s IP.

Find the Victim’s Hostname from NetBIOS

Use the Wireshark filter:

  • nbns (NetBIOS Name Service)

  • nbns && ip.src == [Victim IP] to narrow results

Look at Name Query Response packets to find the hostname.

Identify the Infected User Who Ran a file

Change the filter to Packet Bytes and Strings and then type the string (file name) to find the packets that are dealing with it.

Detecting PowerShell Traffic via User-Agent

Change the filter to Packet Details and Strings and then type the string (user-agent name) to find the packets that are dealing with it.

PreviousVulnerability ScannersNextAuth-Auth

Last updated