Why are shark in encrypted traffic?
We only have one learning objective here is to understand the difference between encrypted traffic and unencrypted traffic when using wire shark or while using wire shark. So why is this important? Well, as an attacker, we want to know again what our tools do. And if I'm using Net Cat and a pen test and I am exfil trading data. Um I'm doing everything in the clear. A defender can see exactly what data I'm exfil trading, which
of course is bad. So it's important to know what our tools do and a tool that's like Net Cat is so Cat. So in the new P. W. K. Material that came out last year, they are now introducing the so Cat. So Cats been out longer of course than that. But the the tool is like that cat is a bit more versatile
And it's a little bit harder to learn how to use. Now we can see here, I'm creating a reverse shell on port 22
from my windows box connecting to my Cali box. And here is the syntax again not as easy to learn as Net cat.
So if we look at our packet capture in wire shark we can see the commands that have been issued so we can see that. Who am I command? The I. P. Config command in the output from those commands. And if we look at the actual terminal Windows on my Cali box we see we have that listener set up on port 22 that connection and then of course I'm issuing those commands
and on my windows box you know I'm using so cat dot E X C two then you know to connect to my Cali box. So that's to say
we're busted because port 22 is supposed to be ssh it's supposed to be encrypted traffic. So a defender would very quickly pick up what we're doing
now as far as oh SCP is concerned you know I wouldn't really worry about that but that's to say you know if if we are connecting to um H. T. P. S. We're not gonna be able to see the traffic that we're generating because it's going to be encrypted. So trying to debug something where encryptions involved is gonna be a lot harder for us.
Now. We can also use so cat to encrypt our traffic as well.
Um So here is the syntax here again if you have the P. W. K. Or pen 200 materials they kind of walk you through this.
But again here's our packet capture this time using encryption and again we have no idea what's going on here because we're using encryption.
So we have our listener uh set up here um on our Cali box. And
we have we're now connecting to it from uh from my host. So I'm issuing the I. D. Command the I. F. Config command and I'm not seeing any of that output.
So I want to show you this uh hands on. So let's say let's just use our local host here. So what I'm gonna do is create a Net Cat listener
And I'm going to do that on port
Now here I'm going to use Net Cat
And I'm just going to say hi
And we will stop here And let's let's take a look at wire shark.
So I right click and I follow the TCP stream.
I can see everything in the clear here. Hi how are you?
So that's to say when using Net Cat I can see exactly what is going on. Let's try this again.
But this time let's use we're not gonna use so cat we're gonna use
and Cat which is made by our friends at the map.
So we'll do now is we will
That's where we'll connect to. And here I'll do in Cat again.
I'm gonna listen on port 12345 Using S. S. L.
And here I'm going to connect using ssl
So I'll stop this capture and I will do the same thing
and now I can't see anything. So using ssl here with in Cat
um We now can't see what's going on.
Hopefully that practical example makes sense for you.
So in summary now we should understand the difference between encrypted traffic and unencrypted traffic using wire Shark.