![]() To examine NBNS traffic from a Windows host, open our second pcap Wireshark-tutorial-identifying-hosts-and-users-2-of-5.pcap and filter on nbns. Finding the hostname from NBNS traffic in our first pcap. This should reveal the same hostname we previously found in the DHCP traffic, displaying JEREMIAHS-MBP, as noted below in Figure 6. Fortunately, we can use NBNS traffic to identify hostnames for computers running Microsoft Windows or Apple hosts running macOS.įilter on nbns for our first pcap and review details under the Info column. Host Information from NetBIOS Name Service (NBNS) Trafficĭepending on how frequently a DHCP lease is renewed, we might not have DHCP traffic in our pcap. Due to anonymization and spoofing, we should never base host identification solely on a MAC address. However, mobile devices often anonymize MAC addresses and users can easily change these to spoof different vendors. This pcap also contains traffic to various Apple domains, further indicating this is an Apple host. That and the hostname ending with MBP indicate this might be an Apple MacBook Pro. In Figure 5, the vendor identification of the MAC address shows Apple_. Correlating the MAC address, IP address and hostname from DHCP traffic.īy default, Wireshark attempts to resolve the first 3 bytes of a MAC address to a vendor identification. ![]() This reveals the client’s MAC address at f8:ff:c2:04:a5:7b with hostname jeremiahs-MBP and a requested IP address of 172.16.138. Scroll down the frame details section, then expand the lines for Option: (50) Requested IP Address and Option: (12) Host Name as indicated below in Figure 5. Expanding the Dynamic Host Configuration Protocol line from a DHCP request. Then go to the frame details section and expand the line for Dynamic Host Configuration Protocol (Request), as shown below in Figure 4. Select the first frame in the results, the one that displays DHCP Request in the Info column. First, type dhcp in the Wireshark filter bar to filter for DHCP traffic, as shown below in Figure 3. Correlating an IP address with a MAC address.ĭHCP traffic might reveal the hostname using this IP address. Using our basic web filter, we can correlate the IP address at 172.16.138 with its associated MAC address at f8:ff:c2:04:a5:7b, as shown below in Figure 2. This pcap is based on traffic to and from an Ethernet address at f8:ff:c2:04:a5:7b. Our first pcap for this tutorial is Wireshark-tutorial-identifying-hosts-and-users-1-of-5.pcap. Wireshark-tutorial-identifying-hosts-and-users-5-of-5.pcapĪny host generating traffic within a network should have three identifiers: a MAC address, an IP address and a hostname.Wireshark-tutorial-identifying-hosts-and-users-4-of-5.pcap.Wireshark-tutorial-identifying-hosts-and-users-3-of-5.pcap.Wireshark-tutorial-identifying-hosts-and-users-2-of-5.pcap.Wireshark-tutorial-identifying-hosts-and-users-1-of-5.pcap.Use infected as the password and extract the five pcaps, as shown below in Figure 1. Download the file named Wireshark-tutorial-identifying-hosts-and-users-5-pcaps.zip. The pcaps used for this tutorial are in a password-protected ZIP archive located at our GitHub repository. To follow this tutorial, readers should have a basic understanding of network traffic. We strongly recommend using the most recent version of Wireshark available for your operating system (OS). This tutorial features Wireshark version 4.0.8 with a customized column display from our previous tutorials. Requirements also include a recent version of Wireshark, at least version 3.6.2 or later. To fully understand this tutorial, readers should have reviewed the material in our previous tutorials on customizing Wireshark’s column display and using display filter expressions. Identifying Users in an Active Directory (AD) EnvironmentĪdditional Resources Requirements and Supporting Material Host Information from NetBIOS Name Service (NBNS) Trafficĭevice Models and Operating System (OS) from HTTP Traffic Host Information from Dynamic Host Configuration Protocol (DHCP) Traffic This article was first published in March 2019 and is being updated for 2023. This is the third in a series of tutorials that provide tips and tricks to help security professionals more effectively use Wireshark. This tutorial uses Wireshark to identify host and user data in pcaps. In some organizations, this could involve reviewing a packet capture (pcap) of network traffic generated by the affected host. When a host within an organization's network is infected or otherwise compromised, responders need to quickly identify the affected host and user.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |