TryHackMe WIRESHARK Filters Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
all right everybody i wanted to show you a walkthrough of my first try hackme room this is the wireshark filters room available on tryhackme so if you go out to try hack me and you just register for a free account this is going to be one of the rooms that you can do a walkthrough of now why did i choose this platform to do this kind of content with well what i like about try hack me is that you can go on there you can download the peak cap and then you can start to answer questions about that pcap and it gives you a real nice way of seeing did i put the right thing in did i achieve that goal so it's real interactive i like the hands-on approach to this platform so go ahead and click the link down below now at the time of this recording this room was not yet available on the search features of tryhackme they're still waiting to release it to the general public but you are able to access it directly so that's what we're going to go ahead and do for this video alright so here we are on the wireshark filters room so in this room like it mentions we're going to be learning about how to filter traffic now i wanted to start here just because filtering is such a big part of what we do with wireshark it's important that we have some hands-on practice of different common filters that you will absolutely be using as you learn to use this analyzer okay so i'm just okay so there's two ways that you can get to the lab trace files either you can start the virtual machine and you can access it remotely either through your vpn or through the jump box on tryhackme or if you don't want to do it that way what you can do is through each of these tasks you have a pcap that you can download and then you can answer those questions for that task so i'm going to go ahead and do that one i'm going to download each pcap and then show you the answers all right so i'm just going to go to introduction feel free to read through this if you'd like to i'm just going to say completed just to keep this video as short as i can i'm going to collapse that task let's go ahead and come to protocol filters now these are the most simple filters for us to remember so i'm just going to come to download task files i'm going to let that download then i'm going to pop that open in wireshark okay so here i've got wireshark open with that try hackme protocols pcap this is the second copy because there was two that were in my downloads folder but if i come here if you look down to the lower right you're gonna see 73 74 packets if you have the same that means that we're on the same pcap it's very unlikely that that number could be the same on two different ones but let's go ahead and start working through these questions so the first one is how many arp packets are in this pcapp and then how many ip packets so here's a simple filter i'm just going to go up to the top right just type in arp enter or the top left to put in the arp protocol filter then if i come down here to the bottom right i can see the number that meet that filter is 10 32 so i'm going to come back over here let's go ahead and enter 1032 all right and that will answer that one next was ip so how many packets are ips simply put in ip enter 6342 all right 63 42 good deal okay so what's the mac address for that this station 192 168 56.1 just gonna copy that gonna come back over here i'm just gonna do an ip.adder equals equals and then i'm just looking for packets that have that station in it so if i come down here i'm just gonna take a look at this packet and this happens to be packet 1043 so this is a reset and it's originating from this ip address 56.1 and if i take another peek at the ip header i can see that this is an unrouted packet so the ttl is 64. now when a ttl starts with common bit boundary numbers so 64 128 255 that means that that packet has not yet passed through a router in most cases so that means that i'm on the same network the source mac and the source ip are coming from the same station all right so if i take source now it's kind of a cool feature of wireshark here what i can do is i can just take address right click copy value all right i'm going to bring that back over to try hack me right click paste and now i can just paste in that mac address hit submit and that's the mac address for that station how many icmp packets all right coming up to icmp and i can see i've got 1064 there so i'm going to type in 1064. all right next remove all icmp packets how many are left over okay so i'm going to come over here so to remove icmp the way that i do this is two ways i can say exclamation point icmp to use that symbol or i can come over here and just say not space icmp same thing if i look at the bottom right down here 6310 is the number of leftover packets so let's go ahead and put that in 6 3 10 and we got the correct answer filter for tcp how many packets all right tcp and if i come down there 62.93 all right six two nine three okay gonna say submit now keep the filter apply for tcp notice that there's some icmp packets that's tcp encapsulated within the icmp header and that's why it matched our tcp filter but can you add a filter to this statement that will remove all the icmp so can you add a filter that will remove all of this extra icmp stuff well if i say tcp and not icmp all right so that's a filter that i use quite a bit or that type of filter the construct of that filter i want to show all of this but not this okay so here i go if i take a look at that lower right 52.69 so let's come back over here five two six nine all right let's say submit all right that looks good now filter for udp and remove any icmp as well how many meet that filter so i'm going to do the same thing just pull off tcp just go udp come down here to the lower right i got nine packets okay so nine and i saw that just you know i moved off this quickly but that's down there in the lower right is where i'm always looking for those packet numbers now filter for only icmp echo reply packets how many do you find well if we're not sure how to set that first i'm going to just filter on icmp well i'm not sure how to do that i can come over here and just put a filter in for icmp down here i can see in my packet list i've got a ping reply so if i come down let's go and take a look at what is it that makes an icmp reply a reply what field should i filter for where here i can see type 0 that's what's going to make this ping a reply so let's just go ahead and take that i'm going to right click prepare as filter selected icmp type 0 and if i take a look here i can see all my replies here all right those are all replies and there are 16 packets that meet that filter so let's go ahead and do 16 and let's say submit all right so that was the end of task number two okay so let's go ahead and pop open task three now let's go ahead and execute this so i'm going to come down here to the questions and well first i'm going to download that pcapp and i'm going to pop it open in wireshark and we'll answer the questions so in this pcapp the name of the pcap is try hack me web pcapng okay i've got 1078 packets gonna come over here look at that first question filter for all packets to and from the host 172 6727 so i'm going to take this ip right click it and i'm going to come up here to display filter let's just do our ip adder so this means either the source or the destination all right so here i can see i've got 320 packets to and from that device okay so 320. all right next how many packets are from the dns server alright so first i got to figure out what the dns server is so first i'm just going to filter dns and here i can see some queries going and some responses okay so now i have a filter for dns so all i got to do is just take a look at the ones that are replies coming back from that server here i can see 4.1 so i'm just going to take that ip in that location i'm going to drag and drop it upstairs and then i'm just going to apply it as a selected value so here i can see ip dot source equals equals and then that ip those are from the dns server all right so i can see that i've got six packets and all of those are responses okay so let's go ahead and say six all right now filter for the busiest ip conversation in the pcap how many packets meet this filter so to do that when any time i'm looking at busy or looking for top talkers for me that always makes me come up to statistics and look at conversations all right this is going to bring up another screen here let me bring that over and right here it's asking for let me come back over here the busiest ip conversation not tcp conversation okay so i'm going to come over here to ipv4 there's four different conversations i'm going to sort on packets or bytes now it's asking for the number of packets okay so i could just say 7 14 and be at it but i also could filter for this by going apply as filter selected a to b b to a if you notice the background now updated and close this see those two ip addresses are now populated in my display filter bar and i've got my 714 packets all right so let's go ahead and put that in all right that was our right answer so these are both http and https conversations so let's filter for all traffic to and from the first two web servers and this station ip so how many packets meet that filter okay so we want all traffic to and from the first two web servers all right so i'm just going to come back i'm just going to clear out that display filter and let me go over here so there's both http and https conversations so let's filter for all traffic to and from those first two web servers i'm just going to take these two ips and just copy and what i want to do is come back over here and i'm going to just populate them in the display filter so that i want to and from both of these ips okay so when i come over here and i copy this there's a couple of different ways that i can set this filter all right i can do this i can do ip.adder equals equals that first value and then i can say or ip.adder equals equals the other value all right and that'll work that'll give me my 352 packets on the bottom right now there's another way that i can do this now this is a trick for you anytime that you start to see that you're filtering for the same location or the same field but the values are different what you can do is you can start to use something called instead of equals equals you can do a membership operator which is in then curly brace and what i'm going to do is i'm just going to remove this extra stuff here i'm just going to put a comma between those two ip addresses and then an end on the curly brace so either one of those filters would work what i'm saying is i want to see those addresses one of those addresses always in the ip address field so show any conversation that includes one of those two addresses okay so this is great when you're not sure if you're exactly filtering a certain conversation with an ip or if it's a few different end users that you'd like to monitor coming into a server or if that end user is talking to several different servers so that's a good one to keep on hand 352 is the answer let's come over here three five two and we will hit submit okay so now it's asking what symbols can be used in place of the word and so the word is in but if we look at our c like symbol this is where we can go and and and we can say submit okay so it's ampersand ampersand instead of the word and what symbol can be used in the place of the word not that's going to be exclamation point let's hit submit what's the syntax to remove all arp traffic from a pcap it's going to be no arp all right very good all right so this was the third task so now we're wrapped up with that one let's go ahead and pop open now to tcp filters these are ones you're going to use quite a bit now it's saying use the same pcap for task 3 for this one so i'm just going to leave this try hack me web pcap up and i'm going to start to apply these other filters to it so let's let's dig in so how many packets in this pcapp have the tcp syn flag set let's come back over here i'm going to do tcp.flags.com equals equals one so this is activating that flag all right so this is going to be both the sin and the synack come down here to tcp down into the flags field i just want any packet at all that has that sin bit set now the way that i got to this field name how did i find that field name well if you come down here to the syn bit on any tcp packet you can notice here in the lower left that you have tcp.flags.sin so wireshark's giving you a little cheat sheet so if you want to filter on this field this would be the field name that you use in a display filter okay so i could type it out or i could just find a syn grab this drag it upstairs and just say selected and that's going to give me exactly the same thing all right so i can see i got 22 packets okay and now how many have the thin flag set so if i come down here to the flags area of the tcp header this is where i can click on fin tcp.flags.thin that would be the syntax so i'm just going to flip syn defin alright and i can see i got 11 packets so let's go ahead and fill this in now how many tcp resets okay so this is where instead of uh center fin we're actually going to type in reset and we've got four in this pcapp come over here to my answers type that in answer correct so now how many sins were sent on tcp port 80 not including tcp synax so i just want the sims all right so let's build out this filter first i'm going to do tcp dot port equals equals 80. okay so i'm just going to apply that see i've got 60 packets and i want tcp dot flags dot sin equals equals one and tcp dot dot equals equals 1 equals equals 0. sorry i've got four of them now we also could have in this instance just because we don't have a whole lot of them and all of these sins don't have any other flags in them this is important i could come down here and i could just say flags is 2. so literally tcp.flags equals equals 2 a decimal 2. and it would give me exactly the same thing let me come back over here heels equals 2. the reason for the 2 is that because in all these packets it just happens to be that the only flag that is set is the send bit however i don't want you all to get into the habit of filtering on just that bit right and the reason is because sometimes you have the cwr bit set that you see in echo and then you also have a send bit set and if you filter on this flags field tcp.flags equals two you'll miss those other ones so for now i mean we also could use an ampersand here but that's getting a little but that's getting into a bit more of advanced filtering for now just get used to filtering on just the bit tcp flags dot sin equals equals one and tcp dot flags dot ack equals equals zero just do that for now and we'll continue to build on our knowledge here all right so that's four packets gonna come in here answer format four all right next find the busiest tcp connection in this pcapp what's the client port number okay so i'm going to remove my filter going to go statistics conversations and if i come over here to tcp and i'm going to sort on packets and the client-side ephemeral port number is 47650. okay so come down here 47650 submit very good how many unique tcp connections are in this pcapp we saw that over here there's 11 okay so let's go to 11 or tcp connections or conversations what filter can we use to find tcp errors hopefully this is one that you've used before with wireshark it's an important one to know about and that's every time that my analysis flags get triggered so wireshark does a bit of analysis for us using tcp analysis flags it's saying hey this packet has a flag on it you might want to check it out so things like keep a lives previous packet not captured re-transmissions out of orders duplicate acknowledgements zero windows full windows window updates so there's a lot of different types of things that will trigger that analysis flag so that's an important one to know about if i come down here tcp.analysis.flags hit submit very good okay so now what operator allows us to quickly filter for several different ports ooh okay so if i wanted to filter on more than one port so tcp port instead of doing equals equals what i would do is i would use that membership operator again so that's where i would say in curly brace this is where i can say in 21 23 25 close curly brace and then i will see all the packets in my peak app that met that filter at the same time i can also come over here i can just put a print around this just to make sure that it's nice and contained put a parenthesis and i can also say not so now show me all the packets that are not tcp port 2123 25 okay so that's the operator so let's come over here and just say in now filter on all traffic on tcp ports these these ports these 10 different ports okay i'm just going to copy that going to come back over here so tcp port back this out now i'm going to go ahead and take that range and paste it in and instead of a dash what i want to do is two dots and what this does is it allows wireshark to say okay anything on any port within this range so as long as it matches go ahead and display it if i come down there i've got 714 packets i'm going to come over here 714 all right and hit submit and we're good to go so those are some common tcp filters that for sure you're going to use in wireshark next let's go to dns okay so i'm going to extract this out let's download this task file okay so i popped it open in wireshark try hackme dns and i can see that i've got 440 packets that are displayed okay so you're going to learn about some of these filters and also the record types and so on let's come down to these questions so what's the address of our server here so we've got queries going to 4.1 so i'm going to come down here to our destination address right click copy value come back over here going to just paste that value in and there is our ip now set a filter for queries or requests how many packets match that filter so here i've got some queries i got some responses so let's grab a query i'm going to collapse that ip area i'm going to come down to dns open that up and i want to come down here to dns flags now what is it that makes a dns query a query well if you come down here to our flags response this is a zero that makes this a dns query okay so i'm just going to take drag this upstairs drop it in and here i can see i've got 44 queries now just to make sure that this is correct i'm just going to eyeball through and sure enough yep all looks good i got 44 of them so i'm going to come in here 44. next set a filter for responses how many packets match that filter well if a zero is a query then a response must be a one it's binary so query zero response one and again that's dns.flags.response equals equals one and i got 44 of them so right away something i learned is that every query that was sent out has an associated response it's unlikely that i have a query and two responses it's most likely okay i got a request a response or request or response how many packets contain the word hack in the dns query name ooh okay so what i can do is i can come down to let's go ahead and do queries and what i can do is i can say name and what i'm interested in here is this field dns.query.name okay so i'm actually going to right click this and i'm just going to say prepare as filter selected now the question was how many packets contain the word hack in that field so the best way to do that is not equals equals hack but doing contains hack okay so any where whenever that field shows up dns.query.name if it contains the word hack so if that word hack appears is either a request or response in that name then go ahead and display the packet i've got 12 packets that match that filter gonna say 12 and we're good to go all right now packet one is a request for tryhackme.com in the response there are three addresses resolved to this name what's the third address in the response okay let's go ahead and take a look at the request so it's in packet one and part of the point of this exercise is to show you how a request and response are indicated in wireshark here's the query and here's the response and what wireshark does is you see that we have these two transaction ids so it's 592b and 592b it just matches those together okay so in that in a dns response we can have one query two queries whatever and we can have more than one answer resource records it's not just one let's actually take a look go to answers here you can see i got three different addresses come back for tryhackme.com going to expand this out here i can see that the third one is this address right click i'm gonna copy that value come back to try hack me i'm going to paste that in and let's submit it now how long will this record be stored in the client cache in seconds well in the answer record it tells us the time to live the dns response ttl so here i can see it's 300 seconds or in other words 5 minutes so i'm going to come back here and just say 300 all right and then a response can carry multiple records which packet has the most answer are ours and give the frame number all right so here we can see that we have three answer research records so what i'm going to do is i'm just going to right click and i'm just going to apply the answer rrs temporarily as a column and the other thing that i want to do is just i could just sort this right now if i want but just to be sure just going to remove that filter and just type in dns just to be sure i got all my dns packets and one really stands out with the most answer resource records it's got nine and here i can see a lot of different responses some c names some ipv6 addresses a few different ipv6 addresses in fact some additional records so okay great so this is nine resource records so the actual packet number is 62. so i'm going to come over here and just pop in 62 is the answer and last what filter would display all dns queries and responses for ipv6 addresses well we already saw uh here we have some responses for v6 okay so the thing that makes a v6 request or response we're looking for this 28 response type okay so let's type quad a right so that's the type of record we're looking for if i come up to the request i can also go to the query and here we're asking for type so dns query type is 28 and then i can see that the response type is 28 as well so i'm going to do is i'm just going to take that type i'm going to take and drag it upstairs since that type appears in both the request and the response i'll get both of them so i'm going to type that in type 28 i'm going to sort this so here i can see i got query and response dns.query.type equals 28. i got 44 packets that show up and let's come over here so what filter would do this all right so let's go ahead and copy this see if this met what tryhackme is asking for dns.query.type submit oh answer's correct you know what it is it might be that this is uh has some spaces in it that's what it was so we just take the spaces out around that operator now wireshark doesn't care if you have a space on either side of the two equals so in this case we just pull those spaces out and now we have our dns query type okay next let's go ahead and go to task number six special operators so some common operators we've learned those already but now there's some special ones so we've learned a little bit about the membership operator also we've seen contains and now we're going to tinker a bit more with the matches operator okay so if we're gonna come down here so uh pcapp for task three so i'm just gonna come back to wireshark and i opened up try hack me web again so that gives me the task three p cap so how many packets contain the word assets regardless of case well contains cares about case matches does not i'm using regex there so for me what i would do is i would just say frame matches assets all right so that gives me 10 packets so let's come over here check that one out now what packet number contains the string aws now in that case let's go ahead and assume that that is case sensitive so i can do contains and i'm just going to say aws all right so 804 that's the frame number all right good to go okay next how many packets contain the or dot com now in this case we didn't get a protocol identifier or a protocol wasn't indicated in the question right this could be tcp this could be udp this could be http this could be dns this could be anything with that string okay so since that's the case what i'm going to do is just come over here to frame that means basically start at the ethernet frame okay so don't go into directly into ip or tcp if we indicate tcp contains something then that means we're just looking within the tcp payload that means that we would miss things like dns because dns is over udp so for me i like to just say frame we're going to say matches because we want to use the regex operators now if you're not good at regex it's okay you're in good company i'm not good at them either but there's some common ones that you will be using all right so let's go ahead and do a quotation and we're going to do a slash dot and what that does is it maintains the dot the slash dot is how you say okay there's a dot in this parameter what we're going to do is we're going to do an open parenthesis and we're going to say what was it that we're looking for dot orger com okay we're gonna say org or com now regex isn't the same language this is pro compatible so we only need one or one pipe to indicate or we're going to close the paren and then close the quotation so this is going to tell wireshark anytime you see dotworker.com anywhere in that frame regardless of protocol go ahead and show packet i've got 28 that made that filter i'm going to come over here and i'm just going to say 28. so that's a practical one especially if you're not sure what type of server it is if it's dotnet.org.com that could be a common one that you actually end up using all right so now let's filter all traffic from ports 404 to 406. how many packets match that filter so as soon as i see a range right away i think membership operator so i'm just going to actually copy these over why because i'm lazy all right i'm going to remove this one and i'm just going to say tcp dot port in okay open curly brace and instead of the through let's pull this out that doesn't make any sense to our shark dot dot and then i'm going to close my parenthese i'm sorry close curly brace easy to do and then now any conversation that has a port from 404 405 or 406 is going to be displayed for me and that's 32 packets so cool so let me come back here 32 i'm going to say submit and that was good now how many packets contain the string get now if i was going to be real specific i could say http contains get right now that's one way what if uh i wanted to see that word in something not http oh i could say tcp contains get or frame contains get all right so in this case there's only two packets that actually have that word and i went ahead and did the um the case sensitive contains so let's come back here and see if that worked sure enough did all right so that's some special operators that we were able to learn as well so our membership operator that's in contains and also matches which allows us to use perl compatible expressions regular expressions all right so let's go ahead and come down here so putting it all together filtering for scans okay so i'm going to download this one okay popped it open in wireshark and here we can see try hack me and map scan v2 cool okay let's come down to our questions how many packets have that send flag well you know what to do tcp.flags that's in equals equals one okay i've got 100 i'm sorry 1023. okay what's the address of the machine that's conducting the sin scan or the stealth scan where i can see that sins are coming from this 102 number so let me go ahead and expand ip just going to come down here to source address copy value come back over here pop that in next what station is being scanned what's the ip so 102 is scanning 101 okay so i'm just going to come over here paste move that to 101 and hit enter how many ports were open on the server for this port scan okay so how many times do we see 101 returning that synack so i'm going to leave it sin1 and tcp.flags.ack equals equals 1 and i p adder src 192.168.56.101 i also could have uh just taken this and just dragged this up up here and started to do some tinkering with this filter but i went ahead and did it the long way okay so i can see that that's the number of packets 23 but i just want to double check that that's also the number of unique conversations that i have so here i can say i've got a thousand tcp conversations most of these are just sin attempts so if i come down here to limit to display filter this will show me just these statistics but it'll respect the filter that i have applied i'm going to come in here i'm just going to say port a because this is the synap coming back from this server i'm going to sort that here i can see and just eyeball that and i can see that these are all unique okay so it tells me that this server has 23 unique ports open i'm going to tell you it's just a little sidebar usually if i'm doing this kind of crunching i'm going to do it with t shark on the command line and that's where i'm going to say pull out all of these synax and then i'm going to do a sort unique with it because i want to make sure i'm just getting the unique ones so if i had two synax on port 21 for example and two on port 23 and 2 on port 25 that's only three unique port numbers that are open right but i just had two instances of each one so i would see six packets instead of uh just three port numbers hopefully that makes sense okay i'll show you guys that on another video but for now we can go ahead and do this with conversations okay so i can see that i've got 23 so i'm going to come back here let's go ahead and say 23. all right next what's the lowest board number and then the highest port number come over here i can see port 21 and then 81.80 okay so 21 and then 81.80 okay and then next filter for traffic on tcp port 21. so i'm going to get out of here going to come over here just remove this tcp.port equals equals 21. and just going to put my packets back in order so the question is is this a half open or a full connect well a half open is just syn synack reset so only one side was actually open because it got an acknowledgement a full connect scan is syn synack then a reset so here i can see that this is a half open so i can just take and i can grab that copy paste and then hit submit now what is the tcp conversation completeness value of this conversation okay in a stealth scan so let me come down here tcp incomplete 35. so here i saw a sin which is a value of one a synack which is a value of two and then a reset which is 33. if i add all that together that's why i see the value of 35 and that's explained up in the description in that task so here i can see it is 35. now when nmap does a stealth scan the sin often has a low tcp window value what's the value 1024 and where did i get that from if i come over here to that sin anytime that nmap itself is actually starting or initiating by default that sin scan it's going to use a window size of 1024 which is actually one way that we can discover that when we're doing some threat hunting okay so 1024. now to filter for a tcp window value what's the name of the field we should use okay so we found a filter for that if i just take this and i say preparers filter selected i can see that the actual field name is tcp.windowsizevalue equals equals all right so that's going to be the answer that is the field name last how many of the ports that were scanned on the server are closed well whenever we scan for a port and that port is not open it's going to kick back a reset so first let's do this let's find a port that was not open on that server let's just take 1433 for example right click uh conversation filter tcp i just want to see okay here's a send and here's a reset all right so what i want to see is i want to see the conversation completeness i can actually use that value here because it's just a sin and a reset okay so if i come down here i can see that this is a 37 right so i'm just gonna prepare as filter selected okay so i want the tcp completeness of 37 and i don't want any sins so then i can say or i just want the resets so i can say and tcp dot flags dot reset equals equals one okay so all of the resets that have the tcp completeness of 37. that's uh gonna show me uh 977 packets okay so these are all of the resets that came back and i actually went ahead and did a unique sword on this so we know that all of these are actually unique uh port numbers that these weren't repeated using wireshark so i can go 977. all right submit and that does make sense because there's 23 ports that were open we scan by default we scanned a thousand ports 23 were open so 977 were closed okay last one filtering for user names and passwords let's go ahead and download this okay so this is a file called ftp brute so ftp is fun to uh demonstrate this with because the usernames and passwords are in clear text so we can see them pretty easily with wireshark so how many unique tcp conversations are in this pcapp that was the first question let's go to conversations we can see that we have 17 unique tcp conversations all right now something else that my eye will catch by the way is an analyst most of those conversations are exactly the same length they were almost all initiated at once and they all lasted about 11.3 seconds in that duration just something that i'll file away if i'm ever doing some analysis on this pcap what port on the server is the attacker connecting to well this is ftp so if i come here this is on port 21. so i'm going to pop that in port 21. what version is vs ftp daemon are we running so i'm going to come down here if i take a look at the response coming back from the server once we establish our handshake cincinnati it's going to kick back its response code and version so if i actually take a look if i want to do this the long way come down to my ftp response argument so this is our service version so 2.3.4 that's our version 2.3.4 hit enter or submit what's the first username that the attacker attempts to connect to all right so let's go ahead and just take a little walk now the filter that i could use if i wanted to would be looking for the word user or i could say ftp request command if it's a user and then the argument is admin here so this is something that i could have or i could have said ftp contains user how's that and that would give me it would allow me to jump quickly to that first user name that is sent to the server and the answer is admin okay next the first login attempt is in packet 21 set a filter for this tcp connection what password is attempted okay so we're on uh packet 81 right click conversation filter tcp and right after this here's my username is admin the server asks it and says thanks please specify the password cool i will the password is user login incorrect okay so user is the password that's attempted user now staying on this tcp connection what's the next username let's come over here the next one that it tries is user ftp user and that also the password is tor and that login is incorrect all right so let's go and put this in ftp user all right what's the response code for login incorrect when we come over here we can see that the response code here is 5 30. okay so not logged in is 5 30. so there we go five three zero submit now what is the response code for login successful so let me just show you a little trick that i would actually do so i would come down here to my response code i just found a packet that says login and correct i'm gonna right click it i'm gonna apply it as column and i'm going to sort that column so now i can see all the different response codes now here i can see username okay need password service is ready for new user this is just that initial when we log in and the service is ready and now we before we put in our username and password it's a 2 2 0 so 220. now on this connection we just didn't have a successful login but there is a successful login in this pcap so i'm going to remove my filter and right now i can see my service is ready for new user now let's go and look for the one that's different not logged in service ready user logged in proceed login successful ooh so if i select this the response code of 230 is a login successful alright so i'm going to put my packets back in order come down to that login successful i'm on packet 541 right click follow tcp stream here i can see that the user name is msf admin password is msf admin and the login was successful awesome okay so let's come back here and answer our questions so the response code is 230. the username and password msf metasploit framework admin and i'm going to separate that with a colon msf admin and say ok now what's the display filter for all tcp successful login packets uses space before and after the operator this time okay so i'm just going to close and i'm going to come down here to this response or login successful and response code so ftp response code i'm going to take this and drag it upstairs selected so if i want to filter for all successful responses in an ftp conversation or ftp cap i would use this filter that might be one that i want to save over here with my plus button i can save and ftp successful or something like that i copied this and i can come over here and i can just paste this in and it's got the spaces on each side of the operator hit submit now how many times does the attacker try to authenticate with the username chris hmm okay let's find out let's go ahead and i'm going to just go back and say conversation filter tcp and now what i want to do is when it says request user request argument i'm going to right click this going to prepare as filter selected and i'm going to just type in instead of msf admin let's just say the request argument is chris all right here i can see that the request i've got seven packets seven times that the initiator tries to use the username of chris to log in okay so i can see that is a seven hit submit and that my friends brings us to the conclusion of this room so i can just hit completed and now we have successfully completed the wireshark filters room so congrat congratulations everybody for getting through this one i hope that you enjoyed it getting some more practice with wireshark filters i hope this was practical for you if you like it share this room with others go ahead and give it a thumbs up within tryhackme that really helps me so that they see that good content is coming their way and go ahead and comment at the bottom of this video let me know how you thought about it all right take care everybody bye for now
Info
Channel: Chris Greer
Views: 10,390
Rating: undefined out of 5
Keywords: intro to wireshark, wireshark, chris greer, free wireshark training, wireshark for beginners, wireshark tutorial, packet analysis, protocol analysis, wireshark training, packet capture, wireshark training 2022, Wireshark Packet Capture, wireshark filters, tryhackme wireshark, tryhackme walkthrough, tryhackme packet analysis, tryhackme tutorial, wireshark basics
Id: -MLkdg4s4ew
Channel Id: undefined
Length: 43min 47sec (2627 seconds)
Published: Tue Sep 06 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.