TShark TryHackMe Writeup
Learn how to use TShark to accelerate your pcap analysis!
Hey Guys, After a long time. Sorry for the delay. I actually took a break from writing writeups. Welcome to the new write-up of room TShark.
Room Link: https://tryhackme.com/room/tshark
TASK 1: Pre-Reqs
Bored with trying to extract packets by hand? Need to get info from a pcap file that doesn’t extract easily from Wireshark? Are GUIs for losers but now you realized you can’t open Wireshark? Well, my friend, TShark is the solution to all your problems.
Before beginning, we need to make sure we have
tshark installed it on our host - If you are using the AttackBox you can skip this, as it already has tshark installed.
Generally, tshark is installed with Wireshark. But let’s verify it’s installed anyways. Run the command below to determine if it’s installed or not.
apt list tshark
In my output above, we can see that it is installed. If it’s not installed,
sudo apt install tshark will do the trick.
tshark program is also available in a Windows installation as
tshark.exe in the Wireshark install directory.
tshark -h to get the help output to make sure we can access the program properly.
#1 Mark Complete once installed/verified
Answer: No answer Needed
TASK 2: Reading PCAP Files
This task uses the dns.cap capture file on the Wireshark SampleCaptures wiki page.
To read a file with TShark, we will use the
-r switch. This will display a summary line of each packet similar to
tcpdump output and is useful to identify high-level information about the capture.
tshark -r dns.cap
When paired with
wc -l, we can quickly identify how many packets are in a capture.
tshark -r dns.cap | wc -l
We can utilize Wireshark display filters (which are DIFFERENT than bpf syntax) to narrow down what packets are displayed. If we’re interested in DNS A records only, we can use the
dns.qry.type == 1 display filter to narrow down our packets. Display filters are added using the
-Y switch. Our command below will show all of the A records in our capture, including responses.
tshark -r dns.cap -Y "dns.qry.type == 1"
The power of TShark comes with combining traditional Wireshark filters with extraction. We can extract specific field values directly from the pcap, allowing us to have only the interesting fields returned. One way to extract data is using the
-T fields and
-e [fieldname] switches. To extract the A records in the pcap, we would use
-T fields -e dns.qry.name at the end of our previous tshark command. This makes our command the one below:
tshark -r dns.cap -Y "dns.qry.type == 1" -T fields -e dns.qry.name
NOTE: An easy way to identify field names in Wireshark is to navigate to the Packet Details in the capture, highlight the interesting field, then view the bottom left corner.
#1 How many packets are in the dns.cap file?
command: tshark -r filename.cap
#2 How many A records are in the capture? (including responses)
command: tshark -r filename.cap -Y “dns.qry.type ==1”
#3 Which A record was present the most?
command: tshark -r filename.cap -Y “dns.qry.type == 1” -T fields -e dns.qry.name
TASK 3: DNS Exfil
We’ve been alerted that a host in our network has been exfiltrating data over DNS, can you find it?
Use the attached file to analyze in Wireshark and TShark to find the exfiltrated data. As you identify suspicious items in Wireshark, pivot to TShark to extract relevant information.
Remember, we can filter out irrelevant packets with the
-Y switch using display filters.
#1 How many packets are in this capture?
Command: tshark -r filename.pcap
#2 How many DNS queries are in this pcap? (Not responses!)
Command: tshark -r filename.pcap “dns.flags.response == 0”
Total is 56 same filter you can apply on wireshark also. Here is the wireshark result.
See the footer it is saying displayed 56
#3 What is the DNS transaction ID of the suspicious queries (in hex)?
Go to the wireshark and click on the ICMP protocol packet 98. That is suspicious if you have very basic knowledge of wireshark. Under the packet go to Domain Name System (query). There you’ll see Transaction ID. That is your answer.
#4 What is the string extracted from the DNS queries?
tshark -r dns.cap
If you see carefully there is one thing common and different at the same time in every dns query which is first letter in every different DNS. So combine them and you’ll get your answer.
Remember: Don’t Go with this command tshark -r dns.cap -Y “dns.qry.type == 1” -T fields -e dns.qry.name otherwise output will be following and trust me it is very confusion and gets complicated. It took with a hell lot time to get understand.
Note: It can also be seen in wireshark but it gets complicated.
#5 What is the flag?
The string we found earlier is a base 32 encoding. Just go this website and convert it from Base32. You’ll get the flag.
Congratulations lab is solved. Happy Hacking !!