21 hours 43 minutes
using wire Shark
in this lesson. We're to understand the basic use of wire Shark is both an attacker and defender. As well as I understand the traffic we generate within map.
So wire shark is an open source packet capture tool and it also analyzes packets as well. It's used by system admins or network admins to debug networking issues. It's also used by the blue team guys, the defenders to look for malicious traffic. And we can also use it as Attackers
to figure out what kind of noise our tools are making or maybe one of our tools isn't working.
And we want to know why. So we use wire Shark to kind of debug our own issues. Um as well as understand perhaps we set up a server and we want to see um what the hosts are that are coming to our website and we'll see a little bit later how we can weaponize that, which is pretty fun.
So wire Shark with end map, it's important. I said it's important to know what your tools do over the wire. And we're gonna look at two different scans with end map. There's the S. T. Flag or the full three way handshake. Uh TCP handshake. And these are also the syn scan or stealth scan. So
I want to show you what that looks like over the wire and wire shark
first. Um You want to pick your correct interface? So I use I. P. Space A. Or if you're old school I. F. Config, I know that's deprecating now though, but I'm gonna use my home network which is zero. Um You may have a different network, especially if you're connected to a VPN. It maybe tap
or something like that. So ensure that you pick the correct interface
and you can either go to the top left and look for wire shark in the search bar there or open up a terminal and type wire shark. And it should launch the application.
So we're gonna scan using that S. T. Flag or the full three way handshake on port 23. As you can see here. I'm the root user. So I'm doing end map. And I'm specifying that S. T. Flag. If you're the Cali user of the non root user, it should do this by default. That that three way handshake.
So you'll see here in wire shark. Uh you know, I started my capture, which is the shark fin on the upper left hand corner. And I'm also now I'm trying to drill down on that specific traffic on port 23. You'll notice when you're capturing traffic and wire shark. It's very noisy, very quickly. So
knowing how to filter is very important. So what I did was TCP dot port equals equals 23.
And you can see here, that means the attacker sends a syn packet. We get a syn ack packet back from that host. Uh We send an ack packet to do that full three way handshake, and then we set a, send a reset ack packet to terminate the connection.
So now I'm gonna as the root user. If you're not the root user, you have to use Sudo, but I'm not specifying any flag. So it should do the stealth scan of the syn scan by default. Again, we're scanning port 23.
So here you'll see that our host sends a syn packet. We get a syn ack packet back, and then we send a reset packet
uh to terminate that. And without finishing the three way handshake again, I'm drilling down using using the filter up there and you can see here, it says TCP dot port equals equals 23. So I'm just looking at the traffic going to port 23 the TCP traffic going to port 23 I should say.
So per end map, they prefer the stealth scan or the syn scan. The irony being that a lot of defensive tools look for that nowadays. So they're actually looking for that, that stealth scan. So it's actually not very stealthy.
Um You know, in the osc p, we don't have to be too concerned. We don't have blue team members trying to stop us. Um but I do want you to know that that when you're using this, maybe you're doing a pen test. Um and there are blue team members there to know what your traffic looks like.
Also, I talked about those flags. I like using an N map, the SV flag for version and sc for default scripts just now. When you run that, that you'll see here. We if I did I did a search TCP contains end map,
you can see here. I think this is the user agent header, has end map scripting engine printed in it. So if you just do a default scan like this, uh you will be very noisy and end map will print uh it's it's and map scripting engine in the user agent header
and you can see here the protocols http.
So now it's your turn to use end map and wire shark. Make sure you use it on a host or authorized to do it. But see what kind of traffic you generate, you know, figure out how to use filters. Um and also figure out how to change your user agent from a map scripting engine to something else. So go out there and figure out how to do that.
Um, just so, you know, a little bit more about end map and and the flags and options you have there,
and also know what your traffic looks like over the wire using wire Shark.
So in summary, we should now understand the basic use of wire. Shark is both an attacker and defender
as well as I understand the traffic we generate within map.