rfhs · m1ddl3w4r3 · Dec 22, 2023 · Dec 22, 2023 · Dec 22, 2023 · Dec 22, 2023
diff --git a/80211 WIFI (RCTF)/80211_keys b/80211 WIFI (RCTF)/80211_keys
diff --git a/80211 WIFI (RCTF)/dfilter_buttons b/80211 WIFI (RCTF)/dfilter_buttons
diff --git a/README.md b/README.md
@@ -1,22 +1,51 @@
-# wifishark
+## WiFiShark
+<p align="center">
+  <img src="https://github.com/m1ddl3w4r3/wifishark/assets/49599953/1d6d7004-aa07-49ef-8946-d4fe9d9ac34d.jpg" alt="wifishark"/>
+</p>
 
+#Purpose 
 
-
-##Welcome to the WIFIShark Profile (80211 WIFI RFCTF)
-
-Created with the idea that there was not a "Red Team" 80211 profile for Wireshark
-This was a small passion project with a few ideas
-Dont do 7000 colors you have to remember
+Created with the idea that there was not a "Red Team" 80211 profile for Wireshark. \
+This was a small passion project with a few ideas. Dont do 7000 colors you have to remember \
 Show things important to doing a redteam event (like the RFCTF)
+
+\
 Things like:
-IVs
-Handshakes
-Deauths
 
+ - IVs
+ - Handshakes
+ - Deauths
+ - Certs
+ - Creds
+
+
+\
+#Installation
+
+ - Grab the release wifishark or Create zip file of the directory.
+ - Install it in the same way you would any other profile in Wireshark
+
+```
+Right Click Profile: in the bottom right hand corner.
+Import wifishark.zip file
+```
+
+<p align="center">
+  <img src="https://github.com/m1ddl3w4r3/wifishark/assets/49599953/25a13406-f586-4c06-a46f-adc68a4b7ea7.jpg" alt="import"/>
+</p>
+
+
+\
+#Usage
 
+Use the colors to decode the packets you want to see without having to drill down on them.
 
-##Instalation
+<p align="center">
+  <img src="https://github.com/m1ddl3w4r3/wifishark/assets/49599953/8717d838-71f6-4a16-9ca5-885f3abe0bbd.jpg" alt="usage"/>
+</p>
 
-install it in the same way you would any other profile in Wireshark
-https://www.wireshark.org/docs/wsug_html_chunked/ChCustConfigProfilesSection.html
+Or use the button to group packets of the choosen type.
+<p>
+  <img src="https://github.com/m1ddl3w4r3/wifishark/assets/49599953/bc92b1f4-4909-4c24-ad75-590643801c0e" alt="buttons"/>
 
+</p>
diff --git a/wifishark/80211_keys b/wifishark/80211_keys
@@ -0,0 +1 @@
+# This file is automatically generated, DO NOT MODIFY.
diff --git a/80211 WIFI (RCTF)/colorfilters → wifishark/colorfilters b/80211 WIFI (RCTF)/colorfilters → wifishark/colorfilters
@@ -1,4 +1,8 @@
-# DO NOT EDIT THIS FILE!  It was created by Wireshark
+# This file was created by Wireshark. Edit with care.
+@SSL Cert@ssl.handshake.certificate and eapol@[65535,0,0][0,0,0]
+@WPA-EAP Identities@eap.type == 1  && eap.code == 2@[65535,0,0][0,0,0]
+@GET Creds@http.request.method == GET and http.authbasic@[65535,0,0][0,0,0]
+@POST Creds@http.request.method == POST and (lower(http.file_data) contains "pass" or lower(http.request.line) contains "pass" or tcp contains "login")@[65535,0,0][0,0,0]
 @WEP@wlan.wfa.ie.wpa.ucs.type == 1@[64764,44975,15934][61423,10537,10537]
 @WEP IV@wlan.wep.iv@[35466,58082,13364][61423,10537,10537]
 @Disassoc - MDK3@wlan.fc.type_subtype eq 0x00a@[34952,35466,34181][61423,10537,10537]
@@ -10,4 +14,5 @@
 @802.11R Auth Request@(wlan.fc.type_subtype==0)&&(wlan.rsn.akms.type==3)@[44461,32639,43176][35466,58082,13364]
 @802.11w capable@wlan.rsn.capabilities.mfpc == 1@[11565,32125,46003][0,0,0]
 @802.11w required@wlan.rsn.capabilities.mfpr == 1@[29298,40863,53199][0,0,0]
-@Handshakes@eapol@[0,0,0][64764,59881,20303]
+@802.11w downgradeable@(((wlan.fc.type_subtype == 0x0008) && (wlan.rsn.capabilities)) && (wlan.rsn.capabilities.mfpc == 0 && wlan.rsn.capabilities.mfpr == 0))@[0,43690,65535][0,0,0]
+@Handshakes@eapol or wlan.rsn.ie.pmkid@[0,0,0][64764,59881,20303]
diff --git a/80211 WIFI (RCTF)/decode_as_entries → wifishark/decode_as_entries b/80211 WIFI (RCTF)/decode_as_entries → wifishark/decode_as_entries
@@ -1,4 +1,4 @@
-# "Decode As" entries file for Wireshark 3.2.3.
+# "Decode As" entries file for Wireshark 4.0.6.
 #
 # This file is regenerated each time "Decode As" preferences
 # are saved within Wireshark. Making manual changes should be safe,

diff --git a/wifishark/dfilter_buttons b/wifishark/dfilter_buttons
@@ -0,0 +1,10 @@
+# This file is automatically generated, DO NOT MODIFY.
+"TRUE","WEP","wlan.wfa.ie.wpa.ucs.type == 1",""
+"TRUE","WEP IV","wlan.wep.iv",""
+"TRUE","HANDSHAKE","eapol or wlan.rsn.ie.pmkid",""
+"TRUE","WPA-EAP Identities","eap.type == 1  && eap.code == 2",""
+"TRUE","SSL Certs","ssl.handshake.certificate and eapol",""
+"TRUE","80211w Downgradeable","(((wlan.fc.type_subtype == 0x0008) && (wlan.rsn.capabilities)) && (wlan.rsn.capabilities.mfpc == 0 && wlan.rsn.capabilities.mfpr == 0))",""
+"TRUE","80211w Required","wlan.rsn.capabilities.mfpr == 1",""
+"TRUE","POST Creds","http.request.method == POST and (lower(http.file_data) contains \x22pass\x22 or lower(http.request.line) contains \x22pass\x22 or tcp contains \x22login\x22)","Find Creds in POST request"
+"TRUE","GET Creds","http.request.method == GET and http.authbasic","Passwords from GET request."
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		# This file is automatically generated, DO NOT MODIFY.