Using Wireshark

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:00
>> Using Wireshark. In this lesson,
00:00
we are to understand the basic use of
00:00
Wireshark is both an attacker and defender,
00:00
as well as to understand the traffic
00:00
regenerate within map.
00:00
Wireshark is an open source packet capture tool
00:00
and it also analyzes packets as well.
00:00
It's used by system admins or
00:00
network admins to debug networking issues.
00:00
It's also used by the blue team guys,
00:00
the defenders, to look for malicious traffic.
00:00
We can also use it as attackers to figure out what noise
00:00
our tools are making or maybe one of our tools
00:00
isn't working and we want to know why.
00:00
We use Wireshark to debug our own issues,
00:00
as well as understand perhaps we set
00:00
up a server and we want to
00:00
see what the hosts are that are coming to our website.
00:00
We'll see a little bit later how we can
00:00
weaponize that, which is pretty fun.
00:00
Wireshark with Nmap,
00:00
again it's important to know what your tools do over
00:00
the wire and we're going to look at
00:00
two different scans with Nmap.
00:00
There's the sT flag or the full three-way handshake,
00:00
TCP handshake and these are also
00:00
the SYN scan or Stealth scan.
00:00
I want to show you what that looks like over
00:00
the wire in Wireshark.
00:00
First, you want to pick your correct interface.
00:00
I use IP space A,
00:00
or if you're old school, IF config,
00:00
I know this deprecated now though,
00:00
but I'm going to use my home network which is e0.
00:00
You may have a different network,
00:00
especially if you're connected to a VPN,
00:00
it may be tap or something like that.
00:00
Ensure that you pick the correct interface and you can
00:00
either go to the top-left and look
00:00
for Wireshark in the search bar there,
00:00
or open up a terminal and
00:00
type Wireshark and it should launch the application.
00:00
We're going to scan using that sT flag or
00:00
the full three-way handshake on port 23.
00:00
As you can see here, on the root user,
00:00
so I'm doing Nmap and I'm specifying that sT flag.
00:00
If you're the cali user or the non-root user,
00:00
it should do this by default, that three-way handshake.
00:00
You'll see here in Wireshark,
00:00
I started my capture,
00:00
which is the shark fin on
00:00
the upper left-hand corner and I'm
00:00
also now I'm trying to drill down
00:00
on that specific traffic on Port 23.
00:00
You'll notice when you're capturing
00:00
traffic and Wireshark,
00:00
it's very noisy very quickly.
00:00
Knowing how to filter is very important.
00:00
What I did was tcp.
00:00
port == 23,
00:00
and you can see here that means the attacker
00:00
sends a SYN packet.
00:00
We get a SYN/ACK packet back from that host.
00:00
We send an ACK packet
00:00
to do that full three-way handshake and then
00:00
we send a reset ACK packet to terminate the connection.
00:00
Now, if you're not the root user, you have to use Sudo,
00:00
but I'm not specifying any flags,
00:00
so it should do the Stealth scan or
00:00
the SYN scan by default.
00:00
Again, we're scanning Port 23.
00:00
Here you'll see that our host sends a SYN packet.
00:00
We get a SYN/ACK packet back,
00:00
and then we send a reset packet
00:00
to terminate that and
00:00
without finishing the three-way handshake.
00:00
Again, I'm drilling down
00:00
using the filter up there and you can
00:00
see here it says tcp.port == 23.
00:00
I'm just looking at the TCP traffic
00:00
going to Port 23, I should say.
00:00
Per Nmap, they prefer the Stealth scan or the SYN scan.
00:00
The irony being that a lot of
00:00
defensive tools look for that nowadays.
00:00
They're actually looking for that Stealth scan.
00:00
It's actually not very stealthy.
00:00
In the OSEP, we don't have to be too concerned.
00:00
We don't have blue team members trying to stop us.
00:00
But I do want you to know that when you're using this,
00:00
maybe you're doing a pen test and there are
00:00
blue team members there
00:00
to know what your traffic looks like.
00:00
Also, I talked about those flags are like using an Nmap,
00:00
the sV flag for version and sC for default scripts.
00:00
Just know when you run that you'll see here.
00:00
If I did a search TCP contains Nmap.
00:00
You can see here I think this is the user agent header,
00:00
has Nmap scripting and in printed in it.
00:00
If you just do a default scan like this,
00:00
you will be very noisy and Nmap will print
00:00
its Nmap scripting engine in
00:00
the User-Agent header and
00:00
you can see here the protocols, HTP.
00:00
Now it's your turn to use Nmap and Wireshark.
00:00
Make sure you use it on a host or authorized to do it.
00:00
But see what traffic it degenerate.
00:00
Figure out how to use filters,
00:00
and also figure out how to
00:00
change your user agent
00:00
from Nmap scripting engine to something else.
00:00
Go out there and figure out how to do that.
00:00
Just so you know a little bit more about Nmap
00:00
and the flags and options you have there.
00:00
Also know what your traffic looks
00:00
like over the wire using Wireshark.
00:00
In summary, we should now understand the basic use
00:00
of Wireshark is both an attacker and defender,
00:00
as well as understand the traffic regenerate with Nmap.
Up Next