# Packet Scanning ## tcpdump ```bash # Basic capture tcpdump -i eth0 tcpdump -c 100 -i eth0 # Capture 100 packets tcpdump -A -i eth0 # Print packets in ASCII tcpdump -XX -i eth0 # Print packets in HEX and ASCII tcpdump -w capture.pcap -i eth0 # Write to file tcpdump -r capture.pcap # Read from file tcpdump -n -i eth0 # Don't resolve hostnames tcpdump -nn -i eth0 # Don't resolve hostnames or ports # Filter by port/host tcpdump -i eth0 port 22 tcpdump -i eth0 port 80 or port 443 tcpdump -i eth0 src 172.21.10.X tcpdump -i eth0 dst 172.21.10.X tcpdump -i eth0 host 10.10.10.10 tcpdump -i eth0 net 192.168.1.0/24 # Filter by protocol tcpdump -i eth0 icmp tcpdump -i eth0 tcp tcpdump -i eth0 udp # Complex filters tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0' # SYN packets tcpdump -i eth0 'tcp[tcpflags] & (tcp-rst) != 0' # RST packets tcpdump -i eth0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' # HTTP with data # Capture credentials (unencrypted) tcpdump -i eth0 -A port 21 or port 23 or port 110 or port 143 # Online service https://packettotal.com/ ``` ## Wireshark / tshark ```bash # CLI capture with tshark tshark -i eth0 # Basic capture tshark -i eth0 -w capture.pcap # Write to file tshark -r capture.pcap # Read from file tshark -i eth0 -f "port 80" # Capture filter tshark -r capture.pcap -Y "http" # Display filter # Extract specific fields tshark -r capture.pcap -T fields -e ip.src -e ip.dst -e tcp.port tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri # Follow TCP streams tshark -r capture.pcap -z follow,tcp,ascii,0 # Protocol statistics tshark -r capture.pcap -z io,phs # Protocol hierarchy tshark -r capture.pcap -z conv,tcp # TCP conversations tshark -r capture.pcap -z endpoints,ip # IP endpoints # Extract HTTP objects tshark -r capture.pcap --export-objects "http,./extracted_files" # Common display filters for Wireshark # http.request.method == "POST" # tcp.flags.syn == 1 # dns.qry.name contains "domain" # ftp.request.command == "PASS" # smb2.filename # kerberos.CNameString ``` ## Protocol-specific analysis ```bash # HTTP traffic analysis tshark -r capture.pcap -Y "http" -T fields -e http.host -e http.request.uri -e http.request.method tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data # DNS queries tshark -r capture.pcap -Y "dns.flags.response == 0" -T fields -e dns.qry.name # SMB file operations tshark -r capture.pcap -Y "smb2.filename" -T fields -e smb2.filename # FTP credentials tshark -r capture.pcap -Y "ftp.request.command == USER || ftp.request.command == PASS" -T fields -e ftp.request.arg # NTLM hashes (for cracking) tshark -r capture.pcap -Y "ntlmssp.messagetype == 3" -T fields -e ntlmssp.auth.username -e ntlmssp.auth.domain ``` ## Credential extraction ```bash # https://github.com/lgandx/PCredz ./Pcredz -f file-to-parse.pcap ./Pcredz -d /tmp/pcap-directory-to-parse/ ./Pcredz -i eth0 -v # https://github.com/DanMcInerney/net-creds python2 net-creds.py -p capture.pcap python2 net-creds.py -i eth0 # Extract NTLM hashes with NTLMRawUnHide # https://github.com/mlgualtieri/NTLMRawUnHide python3 NTLMRawUnHide.py -i capture.pcap # Wireshark manual extraction # Filter: ntlmssp # Look for NTLMSSP_AUTH messages # Right-click -> Export packet bytes ``` ## Encrypted traffic analysis ```bash # Decrypt TLS with pre-master secret (if you have SSLKEYLOGFILE) tshark -r capture.pcap -o "tls.keylog_file:sslkeys.log" -Y "http" # Wireshark: Edit -> Preferences -> Protocols -> TLS -> (Pre)-Master-Secret log filename # Identify encrypted protocols without decryption tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name # JA3/JA3S fingerprinting for TLS client identification # https://github.com/salesforce/ja3 tshark -r capture.pcap -Y "tls.handshake.type == 1" -T fields -e tls.handshake.ja3 # Detect potential C2 traffic patterns tshark -r capture.pcap -z io,stat,60,"COUNT(frame)frame" # Check for beaconing intervals ``` ## Network forensics ```bash # Extract all files from pcap # https://github.com/xplico/xplico # https://www.netresec.com/?page=NetworkMiner # Reconstruct sessions tcpflow -r capture.pcap -o output_dir # Find cleartext passwords strings capture.pcap | grep -i "pass\|pwd\|login\|user" # Carve files from network traffic foremost -i capture.pcap -o carved_files binwalk -e capture.pcap ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.pentest-book.com/recon/packet-scanning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.