PCAP Analysis with Wireshark Demo

00:00

Hey, everyone, welcome back to the course. So in this video, we're gonna do a brief look at a

00:06

packet capture with wire shark. So we've got a sequel, injection, attack,

00:10

a pack of capture. And this is a tax that you might be doing as a stock analyst or incident responder. You're definitely going to be at some point doing packet capture analysis. And so this is a good demonstration to show you with very simplistic example of a very simple sequel injection attacks. So

00:27

we've got our packet opened up here inside a wire shark. First thing I want to point out the first three lines here

00:31

are gonna be our TCP three way handshake is what is called So our sin packet

00:36

eso, for example. I say hello to you. You then send me a sin acknowledgement packet back saying

00:42

that you have gotten my message and then you ask me, Hey, can you hear me? And then I send you an acknowledgement packet back saying, Yes, I can hear you right. So that establishes that three way handshake. That's a very simplistic example. But just to give you an idea, if you don't know what a three way handshake is

00:56

so we're gonna be particularly looking at packet number four here, which is an http packet.

01:02

Now we wanna look and see here. If we open up our hypertext transfer protocol area and wire shark, you notice the sequel injection attack here. So the

01:08

percentage 27 sign we'll talk about that in just a little bit, but the union select there. This is a sequel. Injection attacks. So very simple. Sequel, injection, attack. And basically that percentage 27 is

01:21

giving us an apostrophe. So it's Unicode foreign apostrophes. Just like if we type the apostrophe on the keyboard, that's what I do. It's doing. And that's a very simplistic type of sequel injection attack.

01:30

So let's go ahead and just double click and take a little closer. Look at packet number four here.

01:36

So we're gonna scroll down. Just kind of look at some of the code here and see if we notice anything. First things first, we're gonna scroll down this HCP area and we see there's our sequel injection attacks statement.

01:46

So you noticed at the end of the sticker dot PHP We've got the upended area. That's percentage 27 that that that begins our actual sequel Injection attack. You notice all those numbers to the 123456 79 etcetera, etcetera All the way up until number 20.

02:02

And the goal Basically, by using that apostrophe or the simple attack, the Attackers goal is basically to try to break

02:09

the parsing engine of the sequel database on the back end. And if you can do that successfully, then the attacker usually will pass actual legitimate sequel command. So, like the select statement, for example, to try to get any information from the database that they can get.

02:23

So next thing we're gonna do is we're just gonna go right click on this other packet here. We're gonna do what's called Follow TCP Stream. Now, this allows us to take a little closer Look at what's going on in the communication between the victim and the Web server. So here we can see that sequel injection attack again.

02:40

And then if we go down a little bit too, that http area will see a response from our Web server.

02:46

And so this 200 okay response code is from our that actual web server

02:52

and basically This is just the response of the Web server to that. Get command. That's at the start of that sequel injection attack.

02:58

So we're just gonna scroll down a little bit more and see if we notice anything else that looks a little off in this Java script in a HTML code. And as we scroll down a little bit here we see these H ref areas you noticed 234567 etcetera. Remember the numbers we had before the 12345678 all the way up to number 20.

03:16

These are showing that this sequel injection attack was successful. So this is basically the Web server providing responses