What is Wireshark?

  What is Wireshark?

Wireshark is the most common network protocol analyzer. In addition to being a free and an open source packet following the terms of the GNU General Public License(GPL), we mainly use it when it comes to network troubleshooting, analysis, software and communications protocol development, and education. It shows its user what is happening on their network at a microscopic level. A majority of commercial and non-profit organizations, government agencies, and educational institutions use Wireshark.

History:

In 1998 Gerald Combs, a computer science graduate of the University of Missouri-Kansas City, started a project and named it Ethereal. It was the basic foundation of Wireshark. having this name since 2006 when Combs started to work with CACE Technologies while holding the copyright of most of the project’s code. The rest of the code was opened for any modification under the GPL Terms. Then, volunteer contributions of network experts around the universe added to the project, making it as famous and widely used as it is nowadays.

Because Combs did not own the Ethereal trademark he decided to change its name into Wireshark. It was not until 2010 when Riverbed Technology purchased CACE Technologies to become the main sponsor of Wireshark. There are several contributors –around 600 authors– to this product; still, Combs is the essential responsible for maintaining the overall code and executing new version releases of Wireshark.

Wireshark won several awards for its vital role in today’s network security. It got an award for the Most Important Open-Source App of All-Time by eWeek. Moreover, it won the Editor’s Choice award from PC Magazine. In addition, Insecure.Org network security tools survey ranked as a top packet sniffer.

The functionality of Wireshark:

Similar to tcpdump, a common packet analyzer, Wireshark allows us to analyze network packets but with the aid of a graphical front-end and some extra integrated sorting and filtering options. A Network Interface Controller(NIC) is put into this mode if it does support promiscuous mode. This is usually in order to visualize all the traffic on the interface not merely the interface’s configured addresses and broadcast/multitask traffic.

However, to get the entire network traffic, other techniques such as port mirroring and network taps are utilized. This is done along with using the promiscuous mode on a port. This is attributed to the fact that a port does not necessarily get all the network traffic.

Wireshark 1.4 and later has the ability to put wireless network interface controllers into monitor mode. If some packets are captured by a remote machine and sent to Wireshark, protocols of type TZSP or OmniPeek’s protocol – where OmniPeek is another packet analyzer- are analyzed at the time they were captured on their remote machines.

What features does Wireshark include?

In fact, Wireshark offers a large set of features. In the following points, I will attempt to summarize the features that

Wireshark offers:

  • Wireshark is a network analyzer that inspects Hundreds of protocols.
  • It allows both offline analysis and live captures.
  • It could run on diverse operating systems such as Microsoft Windows, Linux, macOS, Sun Solaris, and several other platforms.
  • A graphical user interface (GUI) is supported using QT widget toolkit, which enables us to browse captured network data, or in the non-GUI version, TTY-mode TShark utility could be utilized for the same purpose as well.
  • It offers sufficient Voice over Internet Protocol(VoIP) analysis. We can even play the media flow when decoding such captured traffic.
  • Wireshark uses pcap to capture packets.
  • It generates Capture files in gzip format, which is easily decompressed.
  • Such captured files could be programmatically edited or altered to the “editcap” programming with the help of some command-line switches.
  • It allows the traffic capturing of Raw Universal Serial Bus(USB).
  • Wireshark is able to capture packets from ns OPNET Modeler, NetSim, and some other network simulation tools.
  • It supports Read/Write of many capture file formats such as tcpdump (libpcap) which is the native network trace file format, Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer, Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix k12xx, Visual Networks Visual UpTime, WildPacketsEtherPeek/TokenPeek/AiroPeek and several other formats.
  • It reads Live Data through different means such as Ethernet IEEE 802.11, PPP/HDLC, ATM, loopback, Bluetooth, FDDI, and many others.
  • The decryption is supported for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
  • Application of Coloring rules to the packet list allows for quick and easy analysis. See section Color Coding for further details.
  • One can ensure that only the triggered traffic becomes analyzed by applying particular filters, timers, and other settings.
  • XML, PostScript, CSV or plain text are all the types that output is exported and formatted.

Security Policies:

In general, there is no need for certain security privileges to allow us to utilize neither Wireshark or TShark. Nowadays, only requires to have tcpdump or dumpcap, given special privileges, and run on a machine to capture traffic with no need for any further privileges for the user.

But how can a superuser grant the aforementioned required privileges to a user? The answer basically lies in the fact that tcpdump or dumpcap which come with Wireshark should have special privileges for them to capture packets into a file. This file would require the opening of Wireshark for analysis with seriously restricted privileges. Even wireless networks could harness Aircrack wireless security tools and capture IEEE 802.11 frames to further read the resulting tcpdump dumpcap files with running Wireshark afterward.

Why do we need to restrict the users from privileges to freely run Wireshark and use its tools? This is basically because capturing traffic calls an enormous number of protocol dissectors, which could most probably arise a network security risk. Since there is a potential of finding a bug in one of these dissectors and thereby exploiting it, this puts the entire security system at a great risk. That is why running Ethereal/Wireshark in the past required superuser privileges for one to be responsible for what can potentially be affected.

Filtering Packets:

Sometimes we need to capture specific traffic packets such as traffic which a program sends when phoning home. While a large number of captured packets in a network, one has to close down all other applications using the network in order to get some specific traffic type. At this point emerges the importance of Wireshark’s filters. At the top of the window, there is a filter box at which we can simply type a certain filter name in order to apply this filter and then we should click Apply, or press Enter alternatively. For instance, to see only DNS packets, we type “DNS” in the filter box. Wireshark helps auto-complete a filter name while writing its name in the filter box.

Color Coding:

The colors Green, Blue, and Black distinguish the type of captured packets. Conventionally, green color indicates Transmission Control Protocol (TCP) traffic. Dark blue, on the other hand, is Name System (DNS) traffic, whereas light blue demonstrates User Datagram Protocol (UDP) traffic. Black shows TCP packets with problems such as being out-of-order.

References:

https://en.wikipedia.org/wiki/Wireshark

https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/amp/

https://www.wireshark.org/

https://wiki.wireshark.org/

http://sectools.org/

https://www.quora.com/unanswered/What-security-policies-can-you-check-using-Wireshark

Elsewhere, check out my other post about Metaspoilt.

 

What is Metasploit?

What is Metaspoilt?

The Metasploit Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. Penetration Testing is an authorized simulated attack on computer system looking for security weaknesses, and Instruction Detection System (IDS) signature, which on the other hand monitors a network or systems for malicious activities. The other most related sub-project is the Metasploit Framework. Metasploit Framework is open source and it is the most common exploit development framework in the world. I will elaborate on this framework idea later on in this article.

However, one can utilize it to perform some legitimate and unauthorized accesses and activities on computer systems. In this regard, it is no different from any other similar commercial products such as Immunity’s Canvas or Core Security Technologies. However, Metasploit is commonly used to break into remote systems or test for a computer system vulnerability.

Historical Background:            

Since it’s development in the high-level language of Perl by Moore in 2003, there were two main alternates that occurred to Metasploit along with its framework. First, by 2007 the framework got entire redevelopment using Ruby programming language. Later, in 2009 Rapid7 adopted the project. Rapid7 is a security company which provides unified vulnerability management solutions.

Two of the main contributions of Rapid7 was the execution of Metasploit Express and Metasploit Pro. Metasploit Express, whose release was in 2010, functionally targets security teams who verify vulnerabilities. While it provides the user with an automated evidence collection, it allows them to use brute-force methods as well. Further, Metasploit Express integrates the Network Mapper (Nmap) and offers a user-friendly graphical user interface (GUI).

Additional features that distinguished Metasploit Pro came in 2010. The main focus of this edition was penetration testers and IT security teams. Quick Start Wizards/MetaModules, building and managing social engineering campaigns, an advanced Pro Console, web application testing, dynamic payloads for anti-virus evasion, integration with Nexpose for ad-hoc vulnerability scans, and Virtual Private Network (VPN) pivoting were all of the features characterizing Metasploit Pro.

Metasploit 4.0 was released in 2011 while its preceding version was Metasploit 3.0 released in 2006, having its following updates afterward. Fuzzing tools, such as providing random and unexpected inputs to a computer program for the sake of monitoring exceptions and crashes, were implemented to the old versions of the project in order to allow finding and discovering software vulnerabilities, not merely exploiting known bugs.Accordingly, a third party Metasploit Module emerged in a way that scans for potential exploits of a software to provide reliable exploitability risk results and further recommends remediation to such bugs.

Exploits:

Fundamentally, an exploit is referred to as a piece of software, a chunk of data, or a sequence of commands that utilizes a bug or vulnerability in order to cause the unintended or unanticipated behavior to occur on a computer system or software. Exploits identified by Metasploit have numbered around 1613 exploits. Such exploits exist in four main categories. 

The first category is Android and Apple iOs which targets mobile phones. In the meanwhile, Firefox is another category for remote code execution for this browser. Another category targets certain operating systems such as Windows, Linux, Unix, Mac, Sun Solaris… etc. The remaining category is multi. Exploits not related to any specific platform belong here.

Payloads: 

When it comes to computer networking and the internet, a payload describes the notion of having the eventual effect of a software virus being delivered to a user’s computer. Metaspoilt owns over 438 payloads. Some rampant ones of these payloads are Command Shell which grants users the privilege of running collection scripts and commands against the host. 

Meterpreter is another payload. This allows Virtual Network Computing (VNC) for users and allows browsing upload and download files as well. Dynamic payloads are another type of payloads which generate some unique payloads to avoid anti-virus defenses.

Metasploit Framework:

It is basically an open-source framework which accepts contributions by developers through GitHub.com website. Such contributions are mainly exploits and scanners. They are thereby reviewed by a team that has employees of Rapid7 and senior external contributors. The main developers of the framework are Moore, Mart Miller, and spoon.

Metasploit Interfaces:

Other than Metasploit Express and Metasploit Pro, there are four other main available interfaces for Metasploit: Metasploit Framework Edition is the free version of Metasploit. It offers a command line interface, Zenmap, a compiler for Ruby, and a well-known ports-scanner. Metasploit Community Edition is another free version. This version is included in the main installer, and it offers several features such as manual exploitation, network discovery and module browsing.

Armitage is another free interface for it, which is a graphical cyber attack management tool harnessed to visualize targets and recommend exploits based on the vulnerabilities. It is open source network security tool which allows for shared sessions, data, and communication through a single instance. Cobalt Strike is another interface in which it contains all the features of Armitage, adding post exploitation tool and report generation features. Nonetheless, this interface is provided by another company called Strategic Cyber LLC.

How to exploit a system using Metasploit:

One of the main advantages of its Framework is that it allows the accompaniment of any exploit type with any other payload type. First, must get some information about the intended target system before going through the detailed steps of exploiting a system. 

How can we know the installed network services and operating system versions for instance? For this sake, we can intentionally use port scanning, to know open ports by a host in a network, and OS fingerprinting, by analyzing the data flowing from such systems, tools like Nmap, and Vulnerability Scanners such as Nexpose, Nessus, and OpenVAS. To ensure an accurate exploiting method, the Metasploit imports such vulnerability scanners data and assure that the proposed exploit is appropriate for any existing vulnerabilities.

There are five basic steps in exploiting a system using Metasploit:

  1. Choose a certain exploit and configure it by writing the appropriate code to target a system. Then, exploit a certain bug in it. 
  2. Check whether the target system is susceptible to the given exploit.
  3. Choose a certain payload to apply on the target system when managing to exploit it and get through it. 
  4. Choose the appropriate encoding technique in order to deceive the intrusion-prevention system (IPS) and make it ignore the oncoming payload.
  5. Finally, execute the Exploit.

Some Commands used:

search<pattern>

It searches for a match for a given pattern. For example: “search xxx” will search all occurrences of “xxx”

use<exploit name>

It tells the program to use a particular exploit

SET parameter

It sets the value for a given parameter

SETG parameter

It sets the value for a given parameter globally, to avoid resetting the parameters again and again later on.

exploit

Finally. this performs the attack on the target system.

References:

https://en.wikipedia.org/wiki/Metasploit_Project

http://sectools.org/

http://searchsecurity.techtarget.com/definition/payload

http://resources.infosecinstitute.com/system-exploitation-metasploit/#gref

https://www.quora.com/What-is-Metasploit