Hello. My name is Dustin, and welcome to pen test basics Sniffing
One of the most popular sniffing tools today is wire shark and wire. Shark is a free and open source tool that can be installed on Windows, Lennox or Mac and lets you see what's happening on the network that it's sniffing with deep packet inspection, live capture and offline analysis.
When you live. Capture network traffic you were actively sniffing and seeing all the packets in the wire shark. Good. So it's gonna be actively scrolling through just capturing all of these packets. You can then save these captures as
pea cap files to further analyze them at a later time.
In the next lab, we're going to go over capturing live data and analyzing previous packet captures. So Wire Start does provide both a gooey Andy Terminal Access or command line interface with T Shark,
which works very similar to TCP Dump, which will get into a little later in this module.
In this demo, we're going to go over a few different pack. It captures that you can get from wire shark dot org's. These are these will be provided with the course. The first packet packet capture. We're going to go over as a telnet packet capture. And if you don't remember, Telma is a network protocol that provides
bidirectional communication between two hosts.
And if you do remember from the networking module, that communication is unencrypted.
Next, we're going to go over a packet capture. That happens, Thio. It's somewhat capture some web traffic that included a picture
which is pretty common. Um well, venison to reassemble this picture from the data packets that were captured. So let's go ahead and hop in our lab and get started.
Okay, So why're shark is pretty easy to install? You just download it from wire shark dot org's double click the execute herbal and run through the installation options. So we've already got it downloaded and installed. Um, oops. FC installer. We don't want that one. Let's go ahead and open wire sharp.
so when you open wire shark, this is kind of the default view as soon as you get in. So here you can open up previous packet capture files or you can actually start capturing traffic. So also, you had a start capturing traffic real quick. It's
So you just click the little shark, start capturing packets,
and this will monitor any traffic that's going by this computer. Depending on how your network adapter is set up and capture that traffic is, you can see mine's not set up, so it's not really captured anything. But that is how you do it, and you can stop with the little Red Square that stops of the packet capture.
So let's go ahead, and we're going to open
our tell that file and I've got that on the desktop.
And again, this is an example I got from wire shark dot org's.
So let's go ahead and open him.
So this is the first time you ever using wire shark. It looks like a bunch of gibberish. You can see a source. We all get that. That's where the package came from. The destination is where it was heading to, but then it's just kind of, ah, a bunch of stuff and see some stuff. Here's highlighted keeper lives,
and it's nothing really
so there are a few things you can do to make it useful. Depending on what you're looking for, you can apply a filter So if you're only looking for, like, a source I p or a destiny Shecky, you can apply that filter here.
But what we're gonna want to do, we're gonna go to analyze.
And we know this is Ah, TCP traffic. You can see TCP and tell meant So we're gonna follow the TCP streams
and this kind of reassembles those packets so we can actually read it a little bit better. And as you can see here, it looks like there was a log in a fake *** word user and it tells a little bit about it. Um, welcome to open BSD in L s was ran L S d a.
You can see all of the stuff actually being ran in plain tax.
And again, this could have been captured just by sniffing the network looking for any traffic.
And that's one reason you don't want to use tell. That is because it's not encrypted. This is all just going across your network in plain text. If you would use a s s H or, uh shh. Keep you encrypted. And some of this data wouldn't be just readable right away.
So that was a pretty easy example. Let's go ahead and open our next one,
and we're gonna open the H T T p with JJ Apex. So we will open that.
And as you can see, not as much data here. But we do have a few things. We've got our http traffic here. You can see that with http. So let's see what we've got.
And you can see I should mention if you double click, you can open any of these specific packets
here. You can see a little bit more about the packets. This is the frame layer than Ethernet on your i p layer the CCP layer. And we're moving up in that network stack http. And then here's any data that it found.
So let's go ahead. And it looks like we have that TCP filter on already. Let's get that out of there because we want to see everything that I captured
that looks a little more normal. So if we just roll through this, there's a ton
of traffic and so we could see right here there was possibly a JPEG image,
and you can filter that just by typing.
It's clear that filter and we want to do. Sorry. Um,
some J. Paige's. We've gotta Sydney dot j Paige BG to that J. Paige
and a full size Seaworld one. So this one sounds interesting. So let's take a look at this.
and we can see this was a request. Um, for this files, the actual euro,
we get this file of C.
It looks like we did get this file. So here's the file data. You could see it is a pretty large file. So if you right click that
export packet bites,
we're gonna need men. Picture about J. Peg and you want to make sure since we're trying to read reassemble J. Peg, we do know is that file type do all files and see you actually write it as a J. Paige. So let's wouldn't see that on the desktop.
And let's see what we got
That looks like a picture for sealed to me and that was reassembled with data that was actually just captured on the wire. So what's what? And see if we could do one more. We'll open up wire shark again,
and we will look for some more J. Paige. So let's see.
That's the sea world on. We didn't see that one already, So let's roll up.
Here's a couple J pegs here.
So we've got Sydney dot j peg and B G to dodge a pegs. This is where it is getting the file. So we go back here
and we see her file una
so right, click it export packet bites. And we'll name this just picture, too.
Gee, Peg. And once we get the other one while we're here
Thanks for the package fights.
I may have. Must settle up. We'll see.
All right, so here we've got picture to know in loads. Fine. So that was a picture that happened to be in the web traffic. And then picture of three.
So that's how easy it is to reassemble packets and extract the information from them.