Traffic Capture (part 2) Analyzing Network Protocol with Wireshark
Video Activity
This video introduces the wireshark tool. Wireshark is a network protocol analyzer. In this video, participants will be shown step by step how to use wireshark to monitor traffic on a network. Participants will also be shown how to use the variety of filters available in wireshark to monitor data.
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Difficulty
Advanced
Video Description
This video introduces the wireshark tool. Wireshark is a network protocol analyzer. In this video, participants will be shown step by step how to use wireshark to monitor traffic on a network. Participants will also be shown how to use the variety of filters available in wireshark to monitor data.
Video Transcription
00:04
All right. So we're gonna start Russia to Cold War. Sure,
00:10
you should be called a burial.
00:22
And hopefully that error is not a big problem. I recently moved from
00:26
1.0 point checks to 1.0 point nine and
00:30
never underestimate the ability to break something. When there's this many tools being configured in one place, probably that won't be a problem.
00:38
We want to capture traffic like he's just gonna do is first solution on the wire with wireless and
00:44
see what package it can see. I want to go to capture, appear at the top,
00:50
and in our faces,
00:53
we won't eat. Zero
00:56
stirred.
00:57
It is going to try and monitor all traffic where she don't want to do that.
01:06
I'm what we want to dio. We go back to interfaces
01:11
and we say options.
01:14
We want to make sure we have anonymous or anonymous for Miss us turned all
01:22
who use promiscuous my O'Donnell interfaces. We actually want to turn that off.
01:27
And the reason for that
01:32
is that
01:33
we need to pretend that we're not in Veum, where basically of'em where they're all using this day of network interface port. So it'll actually able to see more than it would if it were a ton of different machines that we want to pretend like we have an actual network here.
01:48
No
01:53
got permits us off.
01:56
Uh, let's restart.
02:00
We should only be able to see traffic
02:02
to and from our machine or to the broadcast
02:06
in our switch network, like
02:08
the printer is around here somewhere
02:15
doing broadcast. So if I, for instance, would say
02:20
I came 192.168 wonders of the six
02:25
should be able to see that.
02:28
So I see MP echo request see something called an AARP.
02:31
We'll talk about that
02:35
so we should see anything from the broadcast of the 255
02:38
at the end, as well as anything to or from our own machine, but in a switch network. And this is why we turned off the promiscuous
02:45
because in a switch network, we should not be able to see traffic to him from other machines that don't have anything to do with us,
02:53
but in our VM or network, because they're all using the actual same interface on the machine, we will be able to see him if we look in promiscuous mode. But again, we want to make it look like an actual networks, which meant that off.
03:07
All right, so it's just pinging forever. Similarly, we should stop that.
03:10
So also, for instance, brought you an FTP two
03:15
The X p machine. I know it has enormous on
03:23
The cool thing about FTP well, not pulled from a security perspective is that
03:30
it will allow us to actually see the traffic in plain text. So, for instance, I've had clients where I have done like reviews of their software and distancing sensitive data to and from server using FTP. So not only do I see their log in credentials that air like embedded in it,
03:49
you have to reverse engineer it to get those. But if I just listen
03:52
with wire shark, I can see those. So I don't have to reverse engineer it to get the credentials and just watch it. But also then the data being sent over is also in Plant Oaks. Unless they encrypt it before they send it,
04:03
Then
04:05
I can just see it in plain text. It'll actually can grab it off the wire. I'm like
04:10
thes hex bites down here like dump them into
04:14
smile
04:15
and actually recover it. So done that for a few customers. But in this case, I'm going to see
04:23
user name and password like since I just used anonymous. It's password Georgia a bulb security dot com
04:30
We can filter. Should we come up here to the filter you like a GP
04:34
on and apply a little shows only F C P stuff
04:40
I can do
04:43
kpp and and to say, And
04:46
I feed out best
04:49
equal, equal.
04:51
You got 1 68 that wound up 76. So that will only show us FTP traffic that is destined her 1 91 sexy that won the 76
05:03
the only stuff we're sending
05:08
but also do like
05:10
I peed a source equal equal 1 90 that want to say that six
05:15
do or
05:17
that'll show us both sides.
05:19
Anything from
05:23
went on to dote on 68
05:25
that 1 76 or prominent
05:28
will come to us, so there's lots of different filters you could do encourage you to.
05:30
I read the manual on that. There's a lot of different things you can do. What you can also do
05:35
is where you can see like the role data here
05:40
didn't, like, break it down like yours either. Not TCP
05:46
you have TV
05:47
really breaks down the protocols. And also you can do
05:53
follow TCP streams of This is
05:56
the whole conversation, if you will. So you could do a fair amount with wire shark. But
06:01
way instead,
06:05
clear the filter.
06:08
And if we come over to,
06:12
that's a demand control.
06:14
Yeah,
06:15
Mayor. And I'll have a DU MIDI controller. Uh, don't require it, but I'll show a couple things with the domain controller.
06:23
You can set up the domain controller if you like.
06:26
So if I was on a bun, too, and I did ftp when I don't want to see it wound up from the six.
06:33
So then how about I give it like, a real passwords to reject and password? You don't know that yet,
06:41
but that's actually a legitimate username and password for that. But we'll see that during password cracking.
06:46
Mmm.
06:48
So it looks like there's something called credit cards Don't text in there.
06:53
So maybe I'm giving a few things away, but
06:56
mostly had to do it properly. But if I come over here,
07:00
I get a filter for FTC.
07:06
Why
07:10
The last thing we saw was that anonymous and Georgia at both security dot com. We did not see that Georgia and password that just came through.
07:19
Since it was neither to or from our machine, we were not able to see it.
07:26
Of course, we'd like to be able to see it. That would probably be helpful to us that could have, in this case, been valid user name and password that we could use to log in impossibly get credit cards. Don't text out of there. So
07:39
definitely maybe something we'd like. So I wonder if there is something we can do
07:44
make that happen. So that is going to be our next goal.
Up Next
Traffic Capture (part 3) Address Resolution Protocol ARP
Traffic Capture (part 4) DNS
Traffic Capture (part 5) ettercap
Traffic Capture (part 6) SSL Stripping
Exploitation (part 1) Direct Exploitation
Similar Content
