Scribd
Upload
275 views

Wireshark Tutorial Identifying Hosts

This document provides tips for using Wireshark to identify hosts and users from network packet captures. It discusses how to retrieve host information like MAC addresses, IP addresses, and hostnames from DHCP and NBNS traffic. Device models and operating systems can be determined from user-agent strings in HTTP traffic. Windows user accounts can be found in Kerberos traffic when the host is part of an Active Directory environment. The document includes examples of filtering packet captures in Wireshark and interpreting the results.

Uploaded by

ppsilva3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
275 views

Wireshark Tutorial Identifying Hosts

This document provides tips for using Wireshark to identify hosts and users from network packet captures. It discusses how to retrieve host information like MAC addresses, IP addresses, and hostnames from DHCP and NBNS traffic. Device models and operating systems can be determined from user-agent strings in HTTP traffic. Windows user accounts can be found in Kerberos traffic when the host is part of an Active Directory environment. The document includes examples of filtering packet captures in Wireshark and interpreting the results.

Uploaded by

ppsilva3
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

Wireshark Tutorial: Identifying Hosts and Users

When a host is infected or otherwise compromised, security professionals


need to quickly review packet captures (pcaps) of suspicious network traffic
to identify affected hosts and users.

This tutorial offers tips on how to gather that pcap data using Wireshark,
the widely used network protocol analysis tool. It assumes you understand
network traffic fundamentals and will use these pcaps of IPv4 traffic to
cover retrieval of four types of data:

 Host information from DHCP traffic


 Host information from NetBIOS Name Service (NBNS) traffic
 Device models and operating systems from HTTP traffic
 Windows user account from Kerberos traffic

Host Information from DHCP Traffic


Any host generating traffic within your network should have three
identifiers: a MAC address, an IP address, and a hostname.

In most cases, alerts for suspicious activity are based on IP addresses. If


you have access to full packet capture of your network traffic, a pcap
retrieved on an internal IP address should reveal an associated MAC
address and hostname.

How do we find such host information using Wireshark? We filter on two


types of activity: DHCP or NBNS. DHCP traffic can help identify hosts for
almost any type of computer connected to your network. NBNS traffic is
generated primarily by computers running Microsoft Windows or Apple
hosts running MacOS.

The first pcap for this tutorial, host-and-user-ID-pcap-01.pcap, is


available here. This pcap is for an internal IP address at 172.16.1[.]207.
Open the pcap in Wireshark and filter on bootp as shown in Figure 1. This
filter should reveal the DHCP traffic.

Note: With Wireshark 3.0, you must use the search term dhcp instead
of bootp.
Figure 1: Filtering on DHCP traffic in Wireshark

Select one of the frames that shows DHCP Request in the info column. Go
to the frame details section and expand the line for Bootstrap Protocol
(Request) as shown in Figure 2. Expand the lines for Client
Identifier and Host Name as indicated in Figure 3. Client Identifier details
should reveal the MAC address assigned to 172.16.1[.]207, and Host
Name details should reveal a hostname.

Figure 2: Expanding Bootstrap Protocol line from a DHCP request


Figure 3: Finding the MAC address and hostname in a DHCP request

In this case, the hostname for 172.16.1[.]207 is Rogers-iPad and the MAC


address is 7c:6d:62:d2:e3:4f. This MAC address is assigned to Apple.
Based on the hostname, this device is likely an iPad, but we cannot confirm
solely on the hostname.

We can easily correlate the MAC address and IP address for any frame
with 172.16.1[.]207 as shown in Figure 4.
Figure 4: Correlating the MAC address with the IP address from any frame

Host Information from NBNS Traffic


Depending on how frequently a DHCP lease is renewed, you might not
have DHCP traffic in your pcap. Fortunately, we can use NBNS traffic to
identify hostnames for computers running Microsoft Windows or Apple
hosts running MacOS.

The second pcap for this tutorial, host-and-user-ID-pcap-02.pcap, is


available here. This pcap is from a Windows host using an internal IP
address at 10.2.4[.]101. Open the pcap in Wireshark and filter on nbns.
This should reveal the NBNS traffic. Select the first frame, and you can
quickly correlate the IP address with a MAC address and hostname as
shown in Figure 5.
Figure 5: Correlating hostname with IP and MAC address using NBNS traffic

The frame details section also shows the hostname assigned to an IP


address as shown in Figure 6.
Figure 6: Frame details for NBNS traffic showing the hostname assigned to an IP address

Device Models and Operating Systems from HTTP


Traffic
User-agent strings from headers in HTTP traffic can reveal the operating
system. If the HTTP traffic is from an Android device, you might also
determine the manufacturer and model of the device.

The third pcap for this tutorial, host-and-user-ID-pcap-03.pcap, is


available here. This pcap is from a Windows host using an internal IP
address at 192.168.1[.]97. Open the pcap in Wireshark and filter
on http.request and !(ssdp). Select the second frame, which is the first
HTTP request to www.ucla[.]edu, and follow the TCP stream as shown in
Figure 7.

Figure 7: Following the TCP stream for an HTTP request in the third pcap
This TCP stream has HTTP request headers as shown in Figure 8. The
User-Agent line represents Google Chrome web browser version
72.0.3626[.]81 running on Microsoft's Windows 7 x64 operating system.

Figure 8: The User-Agent line for a Windows 7 x64 host using Google Chrome

Note the following string in the User-Agent line from Figure 8:

(Windows NT 6.1; Win64; x64)

Windows NT 6.1 represents Windows 7. For User-Agent lines, Windows


NT strings represent the following versions of Microsoft Windows as shown
below:

 Windows NT 5.1: Windows XP
 Windows NT 6.0: Windows Vista
 Windows NT 6.1: Windows 7
 Windows NT 6.2: Windows 8
 Windows NT 6.3: Windows 8.1
 Windows NT 10.0: Windows 10

With HTTP-based web browsing traffic from a Windows host, you can
determine the operating system and browser. The same type of traffic from
Android devices can reveal the brand name and model of the device.

The fourth pcap for this tutorial, host-and-user-ID-pcap-04.pcap, is


available here. This pcap is from an Android host using an internal IP
address at 172.16.4.119. Open the pcap in Wireshark and filter
on http.request. Select the second frame, which is the HTTP request
to www.google[.]com for /blank.html. Follow the TCP stream as shown in
Figure 9.

Figure 9: Following the TCP stream for an HTTP request in the fourth pcap
Figure 10: The User-Agent line for an Android host using Google Chrome

The User-Agent line in Figure 10 shows Android 7.1.2 which is an older


version of the Android operating system released in April 2017. LM-
X210APM represents a model number for this Android device. A quick
Google search reveals this model is an LG Phoenix 4 Android smartphone.

The User-Agent line for HTTP traffic from an iPhone or other Apple mobile
device will give you the operating system, and it will give you the type of
device. However, it will not give you a model. We can only determine if the
Apple device is an iPhone, iPad, or iPod. We cannot determine the model.

The fifth pcap for this tutorial, host-and-user-ID-pcap-05.pcap, is


available here. This pcap is from an iPhone host using an internal IP
address at 10.0.0[.]114. Open the pcap in Wireshark and filter
on http.request. Select the frame for the first HTTP request
to web.mta[.]info and follow the TCP stream as shown in Figure 11.
Figure 11: Following the TCP stream for an HTTP request in the fifth pcap

In Figure 12, the User-Agent line shows (iPhone; CPU iPhone OS 12_1_3


like Mac OS X). This indicates the Apple device is an iPhone, and it is
running iOS 12.1.3.
Figure 12: The User-Agent line for an iPhone using Safari

A final note about HTTP traffic and User-Agent strings: not all HTTP activity
is web browsing traffic. Some HTTP requests will not reveal a browser or
operating system. When you search through traffic to identify a host, you
might have to try several different HTTP requests before finding web
browser traffic.

Since more websites are using HTTPS, this method of host identification
can be difficult. HTTP headers and content are not visible in HTTPS traffic.
However, for those lucky enough to find HTTP web-browsing traffic during
their investigation, this method can provide more information about a host.

Windows User Account from Kerberos Traffic


For Windows hosts in an Active Directory (AD) environment, we can find
user account names in from Kerberos traffic.

The sixth pcap for this tutorial, host-and-user-ID-pcap-06.pcap, is


available here. This pcap is from a Windows host in the following AD
environment:

 Domain: happycraft[.]org
o Network segment: 172.16.8.0/24 (172.16.8[.]0 - 172.16.8[.]255)
 Domain controller IP: 172.16.8[.]8
 Domain controller hostname: Happycraft-DC
 Segment gateway: 172.16.8[.]1
 Broadcast address: 172.16.8[.]255
 Windows client: 172.16.8[.]201

Open the pcap in Wireshark and filter on kerberos.CNameString. Select


the first frame. Go to the frame details section and expand lines as shown
in Figure 13. Select the line with CNameString: johnson-pc$ and apply it
as a column.

Figure 13: Finding the CNameString value and applying it as a column

This should create a new column titled CNameString. Scroll down to the


last frames in the column display. You should find a user account name
for theresa.johnson in traffic between the domain controller at 172.16.8[.]8
and the Windows client at 172.16.8[.]201 as shown in Figure 14.

Figure 14: Finding the Windows user account name

CNameString values for hostnames always end with a $ (dollar sign), while
user account names do not. To filter on user account names, use the
following Wireshark expression to eliminate CNameString results with a
dollar sign:

kerberos.CNameString and !(kerberos.CNameString


contains $)

Summary
Proper identification of hosts and users from network traffic is essential
when reporting malicious activity in your network. Using the methods from
this tutorial, we can better utilize Wireshark to help us identify affected
hosts and users.

You might also like