Last active
October 12, 2025 03:22
-
-
Save githubfoam/6c9e07f95c2eb03ec4ae9709252c713f to your computer and use it in GitHub Desktop.
Revisions
-
githubfoam revised this gist
Dec 10, 2021 . 1 changed file with 25 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,11 +15,28 @@ tshark -i 2 -f "port bootpc" -w DHCP_Only.pcap -f #allows to configure a capture #The -d udp.port flag instructs wireshark to interpret packets with the UDP port "51234" and the decode as MPLS label #the encapsulated content (ICMPv6) can be recognized. tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmpv6" -d udp.port==51234,mpls #extract data from any HTTP requests #-e options identify which fields to extract tshark -i wlan0 -Y http.request -T fields -e http.host -e http.user_agent #extracts both the DNS query and the response address tshark -i wlan0 -f "src port 53" -n -T fields -e dns.qry.name -e dns.resp.addr tshark -i wlan0 -f "src port 53" -n -T fields -e frame.time -e ip.src -e ip.dst -e dns.qry.name -e dns.resp.addr #TCP stream of the HTTP Post tshark -i wlan0 -Y 'http.request.method == POST and tcp contains "password"' | grep password ============================================================================ analysis ============================================================================ tshark -nr input.cap -R "dns" -V #print the DNS packets #sort and count the occurrences of the http.user_agent tshark -r example.pcap -Y http.request -T fields -e http.host -e http.user_agent | sort | uniq -c | sort -n #HTTP filters tshark -r example.pcap -Y http.request -T fields -e http.host -e ip.dst -e http.request.full_uri ============================================================================ #read file HTTP_Traffic and use filter http.request.methog==GET to create a filtered file HTTP_Get.pcap tshark -2 -R "http.request.method==GET" -r HTTP_Traffic.pcap -w HTTP_Get.pcap @@ -33,6 +50,14 @@ tshark -nr nmap_sn.pcap tshark -n -r [capture file] -Y ‘ssl.handshake.type==1’ -T fields -e ip.src -e ip.dst -e \ ssl.handshake.extensions_server_name #modern SSL libraries use Server Name Indication (SNI) as part of the SSL Client Hello to indicate to the server which site they are trying to connect to #The SNI option is sent in the clear to allow for name virtual hosting with SSL tshark -r file.pcap -Y 'ssl.handshake.type==1' -T fields -e ip.dst -e tcp.srcport -e ssl.handshake.extensions_server_name | sed "s/\t/:/" > /tmp/ssi #extract the host names advertised by the certificate that the server returns #filter for certificate messages (type 11) and extract the source ip and the destination port tshark -r file.pcap -Y 'ssl.handshake.type==11' -T fields -e ip.src -e tcp.dstport -e x509sat.uTF8String -e x509ce.dNSName | sed "s/\t/:/" > /tmp/in >tshark -r tor.pcapng | findstr "Client Hello" tshark -n -r [capture file] -Y ssl.handshake.type==11 -T fields -e x509ce.dNSName | tr -s \ -
Dec 3, 2021 . 1 changed file with 43 additions and 29 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,45 +2,59 @@ #Wireshark installation directory: windows C:\Program Files (x86)\Wireshark>tshark.exe ============================================================================ tshark -D #list of available interfaces ============================================================================ capture ============================================================================ tshark -i 2 #start capturing traffic on interface n°2 tshark -i 2 -a duration:10 #capture for 10 seconds, then stop tshark -i 2 -w output_file.pcap #save a caputre to a file tshark -i 2 -f "port bootpc" -w DHCP_Only.pcap -f #allows to configure a capture filter #On a fabric interface, all packets coming from or going to a Virtual Machine (VM) will be encapsulated in MPLS over UDP or GRE header #The -d udp.port flag instructs wireshark to interpret packets with the UDP port "51234" and the decode as MPLS label #the encapsulated content (ICMPv6) can be recognized. tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmpv6" -d udp.port==51234,mpls ============================================================================ analysis ============================================================================ tshark -nr input.cap -R "dns" -V #print the DNS packets ============================================================================ #read file HTTP_Traffic and use filter http.request.methog==GET to create a filtered file HTTP_Get.pcap tshark -2 -R "http.request.method==GET" -r HTTP_Traffic.pcap -w HTTP_Get.pcap tshark -r HTTP_Traffic.pcap -qz io,phs -z #read statistics from a file - this is for protocol hierarchy ============================================================================ tshark -r nmap_sn.pcap #read pcap file tshark -n -r nmap_sn.pcap #Read a pcap, don't resolve names (layers 3 or 4) tshark -nr nmap_sn.pcap ============================================================================ #SSL Client Hello requests tshark -n -r [capture file] -Y ‘ssl.handshake.type==1’ -T fields -e ip.src -e ip.dst -e \ ssl.handshake.extensions_server_name >tshark -r tor.pcapng | findstr "Client Hello" tshark -n -r [capture file] -Y ssl.handshake.type==11 -T fields -e x509ce.dNSName | tr -s \ ‘,‘ ‘\n’ | sort | uniq -c | sort -rn | head -30 tshark -n -r [capture file] -Y ‘x509ce.uniformResourceIdentifier’ -T fields -e \ x509ce.uniformResourceIdentifier | tr -s ‘,‘ ‘\n’ | sort -u tshark -n -r [capture file] -Y ssl.handshake.type==11 -T fields -e x509sat.IA5String -e x509sat.uTF8String -e x509sat.PrintableString -e x509sat.TeletexString -e x509sat.BMPString -e x509sat.UniversalString | tr -s ‘,’ ‘\n’ | sort -u #extract URI,relevant threat database tshark -r tor.pcapng -Y ssl.handshake.type==11 -T fields -e x509ce.uniformResourceIdentifier #Extract Domain Name,relevant threat database tshark -r tor.pcapng -Y ssl.handshake.type==11 -T fields -e x509ce.dNSName #Cipher Suites list of trusted software and detect Cipher Suites list usage tshark -r tor.pcapng -Y ssl.handshake.ciphersuites -Vx #build a signature sha1 database for each Cipher Suite tshark -r [capture file] -Y ssl.handshake.type==1 -T fields \ -e ssl.handshake.ciphersuite | sort -u | xargs -I {} sh -c ‘echo -n {}” “ && echo -n {} | \ sha1sum’ | awk ‘{printf $2” “$1”\n”}’ ============================================================================ -
Dec 3, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,7 +1,7 @@ ============================================================================ #Wireshark installation directory: windows C:\Program Files (x86)\Wireshark>tshark.exe ============================================================================ tshark -r nmap_sn.pcap #read pcap file tshark -n -r nmap_sn.pcap #Read a pcap, don't resolve names (layers 3 or 4) tshark -nr nmap_sn.pcap -
Dec 3, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,46 @@ ============================================================================ #Wireshark installation directory: windows C:\Program Files (x86)\Wireshark>tshark.exe tshark -r nmap_sn.pcap #read pcap file tshark -n -r nmap_sn.pcap #Read a pcap, don't resolve names (layers 3 or 4) tshark -nr nmap_sn.pcap tshark -D #list of available interfaces tshark -i 2 #start capturing traffic on interface n°2 tshark -i 2 -a duration:10 #capture for 10 seconds, then stop tshark -i 2 -w output_file.pcap #save a caputre to a file tshark -i 2 -f "port bootpc" -w DHCP_Only.pcap -f #allows to configure a capture filter #read file HTTP_Traffic and use filter http.request.methog==GET to create a filtered file HTTP_Get.pcap tshark -2 -R "http.request.method==GET" -r HTTP_Traffic.pcap -w HTTP_Get.pcap tshark -r HTTP_Traffic.pcap -qz io,phs -z #read statistics from a file - this is for protocol hierarchy #On a fabric interface, all packets coming from or going to a Virtual Machine (VM) will be encapsulated in MPLS over UDP or GRE header #The -d udp.port flag instructs wireshark to interpret packets with the UDP port "51234" and the decode as MPLS label #the encapsulated content (ICMPv6) can be recognized. tshark -ni eth1 -Y "ip.addr==172.222.19.198 and ip.addr==172.222.19.199 and icmpv6" -d udp.port==51234,mpls tshark -nr input.cap -R "dns" -V #print the DNS packets ============================================================================ # use the SQL, XSS and XXE modules when scanning the target. wapiti -u http://testphp.vulnweb.com -m sql,xss,xxe # the xss module will apply to requests submitted by the GET method wapiti -u http://testphp.vulnweb.com -m “xss: get, blindsql: post, xxe: post” #The wapiti-getcookie tool can be used to use authentication # use it to generate a cookie that Wapiti will use when scanning # At the output,file in JSON format wapiti-getcookie -u http://demo.testfire.net/login.jsp -c cookie.json # Another option is to add all the required information via the -d parameter wapiti-getcookie - http://demo.testfire.net/login.jsp -c cookie.json -d "username=admin&password=admin&enter=submit" # -m – connect all modules – not recommended, because will affect testing time and report size # -c – use the cookie file generated by wapiti-getcookie # -scope – selection of a target for an attack. Selecting the folder option will scan and attack every URL starting from the base one. The base URL must have a forward slash (no filename) # -flush-session – allows you to re-scan, which will not take into account previous results # -A – own User-Agent # -p – proxy server address wapiti --level 1 -u http://demo.testfire.net -f html -o /tmp/vulns.html -m all --color -с cookie.json --scope folder --flush-session -A 'Wapiti Scans' -p http://myproxy:3128 # -n: Define a limit of urls to read with the same pattern (prevent endless loops), here limit to 10. wapiti http://demo.testfire.net -n 10 -b folder -u -v 1 -f html -o /tmp/scan_report wapiti https://authlab.digi.ninja -u -n 5 -b domain -v 2 -o /tmp/outfile.html # scan only for sql and blindsql attacks wapiti https://authlab.digi.ninja -u -n 5 -b domain -m "-all,sql,blindsql" -v 2 -o /tmp/outfile.html ============================================================================