Jump to content

New guy to new area question


Recommended Posts

Im getting into the sec field and im still very new to it, i was given a assignment by a mentor of sorts to find different information on a packet capture, i was able to find the log in names and passwords from it but i cannot find the other information for the life of me. I am using Wireshark and ive searched high and low on Google and other forums and the like to find my answers and still they elude me. Below is the information i need to find, what im asking for is just a point in the direction of where to find it on a packet capture on Wireshark.

Software Versions



Protocols(im guessing its TCP, but not sure if that's what hes asking for or if there is another location)

any help would be appreciated in trying to better understand how to read these packets.

Link to comment
Share on other sites

Wireshark can tell you info on the packets of data in plain text but to see what software, look at what ports its communicating on to deduce what service might be at the other end in those cases. Wireshark or any packet analyzer can do only so much, and tools like NMAP would be needed to probe devices or nodes for more info, or use things like SNMP if enabled to query other machines for data.

Data sent by a browser for instance, will show up as http or https get, post,etc, and will show the user agents, which can be forged, but most likely show you the software in use, since things like Flash have their own user agents and so on. Protocols in use can help determine the type of software, such as IRC, but not always the IRC client in use for example. So theres not a whole lot you can do from Wireshark alone without probing the other nodes to make them talk, so to speak. Quering the workstations, using other things like nbtstat, netstat, psexec, etc, can get you more info.

If you saw say, port 22, thats SSH, or one of the SSH protocolos like SSH, SCP, or SFTP over SSH. To get the software in use, you can open a browser to that IP on port 22, ie: http://x.x.x.x:22/ where x.x.x.x is the IP or website address in question, the browser will time out with an error, but usually return the banner of what version of SSH software is running on it. NMAP is also good for doing this, and why I mentioned it as well, for banner grabbing. ex: nmap -PN -sC -sV --open x.x.x.x where x.x.x.x is the Ip you want info on.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...