Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. And welcome to the episode number 10 of the gossipy course.
00:05
Ah, were shark and TCP dump. My name is Alejandro G. Now, and I'll be your instructor for today's session.
00:12
Learning objectives is to understand the basic of wire shark TCP dump and understand. How can you actually use ah, wire shot through the terminal or the shell?
00:23
So let's get stuttered.
00:26
I'm just up in here. Uh, the windows machine we have been using o
00:33
um, so, first of all, let me just go really quick again. True. Ah, seeing the difference between a connection between net cat and and
00:45
and cat
00:47
forget Ned Cactus will be playing connections. I mean, no encryption,
00:54
and they just fire up here.
00:57
My
00:58
Mississippi dumb listener.
01:00
Let me just first
01:03
finished the connection here.
01:10
Okay, so I'm listening,
01:11
and then
01:14
I can it.
01:19
Nope. Sorry.
01:23
So, um,
01:25
I like to see the chat going on. And how
01:29
and Cat can actually take connections from that. Chet
01:34
and I will just
01:37
type two sippy
01:40
dump here.
01:41
The X dash, upper x capital X.
01:46
As you would like to call it
01:47
a threat. Zero port
01:52
board want to four.
01:53
And if I say I'll encrypt Message. Hi.
02:00
Hello.
02:01
How
02:02
are you?
02:06
You could see Hello. How are you? It will be in plain text. So,
02:10
um,
02:12
if I actually add encryption
02:15
t this with and cast Remember, that was way before we can actually add encryption, which is Couple pays a command real quick here.
02:25
And
02:27
Hank, at least in and pour four for four and
02:31
awoken. And here
02:34
what?
02:36
The cat
02:38
and get that
02:39
X file.
02:43
That's B
02:50
um,
02:53
so I'm connected here again. I will start the listener hero wins with 4444
03:00
And if I say hello,
03:02
how are you?
03:06
I will just Oh, by doing that encryption. Sorry about that.
03:12
Ah, And remember, how can you add encryption
03:15
just by typing
03:17
simple dash Dash s cell here
03:21
and
03:23
I will again
03:24
far up here
03:30
they connect. And if I see Hello, how are you?
03:36
I don't see the message anymore. I just see gibberish here and non breakable information because at the end, it's all encrypt.
03:46
So this is how you can actually use
03:50
city dump with several other particles? Don't get me wrong. I just did this. Said you You can recap and see how we actually did this in the last media, but, you know, just to have
04:04
they disappeared. I'm sorry about that.
04:08
And it is a P, um,
04:10
background of this.
04:12
So can you actually leasing wire shock? Yeah. You can actually just just fire up our shuttles. Just minimize this
04:20
and extend this.
04:24
Let's fire. Ah, well, shock. Shall we?
04:28
A shot from the terminal and it will display this. Ah, First of all, we can put two different filters the capture first filter and the display filter. This playful filter will be useful after you captured the packages.
04:45
Because at the end, you just went to this place, sir. Tain information.
04:48
So if you're not sure what you're looking for or what protocol might be, you know might be the dangerous for you. Maybe capture all the traffic in the in the Internet or in the interface you into capturing this case. It's zero. Ah, but if you're actually you know, it was there was This will create a lot of nice.
05:08
So if you're actually sure, Sure.
05:10
Ah, What traffic are you looking forward? Maybe a capture. Capture filter with minimize the amount of information you will lock on. Well, you know, maybe make t. C will will be easier to look through to the traced, um, and see if you have something going on there.
05:30
So,
05:30
for example, a simple a simple but capture for capture filter will be for 80
05:39
as I want to capture, you know, And I live the interface here, as I want scratcher only http. Traffic. So I go here. I started up by fast. I haven't go true any, Um webpage. This doesn't display anything.
05:55
Ah, but if I hit for some of my windows machine, um
06:03
Oh, that you go. You see traffic here, and you know, you can actually see the payload off the packages.
06:12
Um, for example, here you can see the payload over here, and you want to go further in the trace. You can actually get a lot of information
06:19
from these Says this is way cooler than anticipate. Dump or maybe that cooler, but
06:26
or, you know, easy to see Easy to the eye. But at the end, I told you before, as you go further in your penetration testing career, you will see that most of the time you end up using only the terminal. You don't You don't have access to Anna. Graphic user interface.
06:45
Ah, yeah. If you If you have access to a graphic user into phrase, graphic up. I'm sorry. Wire shirt. It's a great option for you. Ah, but let's see if we can actually see some. Ah,
06:58
as we're not encrypting information, I want to see, Just as we did anticipate dump if we can actually capture, um,
07:05
some lucky information for that. I have another beer to machine going on over here. Which is that Debbie And machine? Nothing fancy. Just holding an http. Um, Lucky. And Paige
07:20
again, nothing fancy. And if I go here and I put, um I don't know, uh I mean and password.
07:30
Oh, maybe at me. And this is a test.
07:34
And I love gin physical. Of course we'll fail. Will not look into anything, but the picture will be captured.
07:43
Ah, I'm sorry. The package will be captured. Eso Now that I have the credentials, I can, you know, go here on apply as search fields for not this play filter, which is different. Um, and I go here and I put here I want to look for a string
08:01
in the packet. A list? No. In the pocket details because that you know, the packet payload and I can just put the world on. This is a test
08:11
is if we can find anything.
08:15
Yeah, sure enough.
08:16
The password, Which is the feel It's This is a test
08:20
as you go
08:22
and the user is at me. So here we have
08:26
the entire thing for item.
08:30
For example,
08:31
keep us word and value this a test.
08:35
And for item, you, sir,
08:39
um,
08:39
the value is at me. Yeah, you can actually do that in wire shark. And as you can see, it's really easy.
08:48
And he's really intuitive to to actually do it. Um,
08:52
we did nothing fancy here. Would you supply a search filter again? You can't fly. Capture filters, display filters, but you can actually search for packages. And the powerful thing about war shark is you can even, uh, search for the
09:07
hex value. Regular expression display future. You know, you can do a lot of stuff here, and you can search into packet details
09:16
in the packet list. Remember, you're trying to look for a specific TCP session. You can use the packing list. Are the packet bites whatever works for you.
09:26
Ah, as you can imagine, this will also not happen on https. So nothing you can add here. But I told you before, most of the time again, you will. You will be using on the terminal. So for that where Sha're they started through
09:45
And it created an application. Or, you know, a command cold
09:48
T shark If you have a war shirt than you have instant shark installed. So let me just close here. I don't want to save it.
10:00
I want to save it here. And, um, you can actually use T shirt as we did with TCP dump. Uh,
10:07
what is it? Is it don't matter the T shirt or T shirt Better in the TCP dumb. I cannot actually say I will be biased because I have been used anticipated on my entire life. But I don't want to say that t shirt is not better. Anticipate. Um, is whatever you prefer,
10:24
maybe t c. I'm sorry, T shirt as it comes with worship,
10:31
has a better integration with the worship graphic user interface. But I I have to tell you, I have I have never had a problem, actually important. Whatever I capture from T shirt from discipline him too. And then check it out on white truck
10:46
as the the end. Just create a pickup file, and that's all. But you know,
10:52
Then again, you cannot be that. And, you know, that will be perfectly fine. Whatever works best for you, wherever you like. Better go with that. That thing. I don't have any problem with any of of those commands, so But for their example, let's start the listener with t shirt, shall we?
11:11
The shark a simple that dash v so he can see actually see the payload on baggage. The interface will be again Internet, sirrah. Ah, and
11:22
the filter. Oh, the capture filter would be dcp port 80.
11:28
And that's it.
11:31
Okay,
11:33
Okay. We will ignore this
11:35
because we're in a test environment. And again, uh, I mean,
11:39
this is a test
11:46
and Oh, my God, we have a lot of information here.
11:50
Um,
11:52
just as it's like we have, you know, up in all the flags in the in the wire share a graphic interface user interface, but we already open it here. So, as you can see for a single Auggie. And there's a lot of information,
12:07
but guess why. I guess that's what folks you can actually pass this through. Ah, great command or whatever other commanding worst of this for you. Remember that we saw, ah, in the in the war shark That all the data or at least the data that was you don't use, um,
12:26
a still of getting information. I mean, useful user
12:31
user name and password is located in a field call for item. Well, we can grab that here.
12:39
So let me just, uh,
12:41
go all the way down.
12:43
It's your or the final of packet capture, and I will grab that grab. I didn't I know this not defence's solution for this problem, you can apply a WK or sad or whatever our command works works best for you. Maybe you're not
13:01
trying to apply such a simple, um,
13:05
search command, but in this case, ah, simple rep works just fine.
13:11
So let me just give you here
13:13
how
13:15
police work,
13:16
um,
13:18
fourth item,
13:22
and it will start, you know, capturing again. The same thing. I didn't change anything from previous command. I just had a grab for item here, and I go to the Web page again and test our men. This is a chest
13:39
well, again.
13:41
Done safe.
13:43
What did I do wrong?
13:46
Why did I do wrong here? Oh, I see. What did I do wrong?
13:52
Sorry about that.
13:58
For item.
14:00
Oh,
14:01
I also mean I also form
14:03
item
14:05
No, for item. I'm sorry about that form from the, you know, formed Gilligan Foreign,
14:11
and we start capturing in.
14:15
Uh
14:16
I mean,
14:18
is another test
14:22
don't save. And then we there we have it.
14:24
I mean, um,
14:26
this is another test,
14:28
so Yeah, I simple is that we already captured that, Um,
14:33
again, This will not happen on https, but did you get the idea? You can actually apply it a lot off. Um,
14:43
bash commands. Trude, your T shirt capture. But you could do the same with Mississippi. Dump again. Don't get me wrong. Nothing. None mean tp Tom is not better than anwar shark or T shirt. And the other way around is just
14:56
how familiarized are you with their tool and the commands and whatever works best for you, I guess at the end of the magic, is it applying that this play capture on dhe search filters because that will. That's where you can actually find useful information from from the package you capture.
15:16
And you know, it may be our applying a sniffer
15:20
in your company because you're actually joints. You get someone that is connecting through specific server. Or maybe it's leaking information or classified information that that will come really hand it to you are playing all these filters on in since again assert penetration tester. We will be using
15:39
most of the tiny terminal
15:39
getting familiar with T shirt participate, and with all the bash commands, you can apply over that
15:46
package. Just capture that's perfectly fine. Even even you can actually capture the packages through the terminal. And then I save it to a pickup file because maybe you want to actually search for the strings, are the commands in a more graphic user interface.
16:03
And then just open the pickup file over where shock and that's again perfectly fine.
16:11
Can you actually plus assessment questions? Can you actually use wire shark without the graphic user interface? Yeah, you can. It's called T shark, and you can actually run execute commands over the over the terminal.
16:26
Can you pass washer through a grab command. Yeah, again. Decent T shirt. I know T shirt is not the exact same thing is wired sharks that they're two different tools. But you know the shark, like the non graphic user in Differs based version off our shark.
16:42
If that's the case, I mean, if you can actually pass, pass worship through to a rep command, which will raise it. Yes, True. True. Using the shark.
16:52
Can you look for specific strings? Maybe pas work doesn't and use her Name's Yeah, you can definitely you can. And other useful strings you may like.
17:00
Ah, be some in this media with self Several techniques to capture traffics executed commands in both Mississippi dump and T shirt to check the traffic in terminal ah, supplements materials you can use. Actually, you can go to the network plus guys from the camp here
17:18
certificate certification house
17:22
And you can also go to any book or reference in the CIA and a certification from the Cisco folks. So in any other material with teacher teacher CASS, I'm sorry. Wash our cars a webpage where you can find a lot of man's a lot of filters and actually a simple Google search.
17:41
At the end of the day, guys go will be your best friend in your penetration testing career.
17:47
And actually, when you would you go through the Mississippi Ah, exam and love you will see that only Google can save you. There's no there's no actually reference that I can tell you right now that will contain everything. There's no book they will contain and everything.
18:04
Only Google you have to. You will have to go stuff that you will not see in this course
18:10
you will not see in any other course. Because at the end, that's what contestants all about imagination.
18:17
Ah, looking forward in the next video, we'll cover some basic knowledge of burps it. That's it for today, folks. Thank you for watching, and I hope to see you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor