What is Wireshark?

0 Comments
Blog, Defensive Security

  What is Wireshark?

Wireshark is the most common network protocol analyzer. In addition to being a free and an open source packet following the terms of the GNU General Public License(GPL), we mainly use it when it comes to network troubleshooting, analysis, software and communications protocol development, and education. It shows its user what is happening on their network at a microscopic level. A majority of commercial and non-profit organizations, government agencies, and educational institutions use Wireshark.

History:

In 1998 Gerald Combs, a computer science graduate of the University of Missouri-Kansas City, started a project and named it Ethereal. It was the basic foundation of Wireshark. having this name since 2006 when Combs started to work with CACE Technologies while holding the copyright of most of the project’s code. The rest of the code was opened for any modification under the GPL Terms. Then, volunteer contributions of network experts around the universe added to the project, making it as famous and widely used as it is nowadays.

Because Combs did not own the Ethereal trademark he decided to change its name into Wireshark. It was not until 2010 when Riverbed Technology purchased CACE Technologies to become the main sponsor of Wireshark. There are several contributors –around 600 authors– to this product; still, Combs is the essential responsible for maintaining the overall code and executing new version releases of Wireshark.

Wireshark won several awards for its vital role in today’s network security. It got an award for the Most Important Open-Source App of All-Time by eWeek. Moreover, it won the Editor’s Choice award from PC Magazine. In addition, Insecure.Org network security tools survey ranked as a top packet sniffer.

The functionality of Wireshark:

Similar to tcpdump, a common packet analyzer, Wireshark allows us to analyze network packets but with the aid of a graphical front-end and some extra integrated sorting and filtering options. A Network Interface Controller(NIC) is put into this mode if it does support promiscuous mode. This is usually in order to visualize all the traffic on the interface not merely the interface’s configured addresses and broadcast/multitask traffic.

However, to get the entire network traffic, other techniques such as port mirroring and network taps are utilized. This is done along with using the promiscuous mode on a port. This is attributed to the fact that a port does not necessarily get all the network traffic.

Wireshark 1.4 and later has the ability to put wireless network interface controllers into monitor mode. If some packets are captured by a remote machine and sent to Wireshark, protocols of type TZSP or OmniPeek’s protocol – where OmniPeek is another packet analyzer- are analyzed at the time they were captured on their remote machines.

What features does Wireshark include?

In fact, Wireshark offers a large set of features. In the following points, I will attempt to summarize the features that

Wireshark offers:

  • Wireshark is a network analyzer that inspects Hundreds of protocols.
  • It allows both offline analysis and live captures.
  • It could run on diverse operating systems such as Microsoft Windows, Linux, macOS, Sun Solaris, and several other platforms.
  • A graphical user interface (GUI) is supported using QT widget toolkit, which enables us to browse captured network data, or in the non-GUI version, TTY-mode TShark utility could be utilized for the same purpose as well.
  • It offers sufficient Voice over Internet Protocol(VoIP) analysis. We can even play the media flow when decoding such captured traffic.
  • Wireshark uses pcap to capture packets.
  • It generates Capture files in gzip format, which is easily decompressed.
  • Such captured files could be programmatically edited or altered to the “editcap” programming with the help of some command-line switches.
  • It allows the traffic capturing of Raw Universal Serial Bus(USB).
  • Wireshark is able to capture packets from ns OPNET Modeler, NetSim, and some other network simulation tools.
  • It supports Read/Write of many capture file formats such as tcpdump (libpcap) which is the native network trace file format, Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer, Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix k12xx, Visual Networks Visual UpTime, WildPacketsEtherPeek/TokenPeek/AiroPeek and several other formats.
  • It reads Live Data through different means such as Ethernet IEEE 802.11, PPP/HDLC, ATM, loopback, Bluetooth, FDDI, and many others.
  • The decryption is supported for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
  • Application of Coloring rules to the packet list allows for quick and easy analysis. See section Color Coding for further details.
  • One can ensure that only the triggered traffic becomes analyzed by applying particular filters, timers, and other settings.
  • XML, PostScript, CSV or plain text are all the types that output is exported and formatted.

Security Policies:

In general, there is no need for certain security privileges to allow us to utilize neither Wireshark or TShark. Nowadays, only requires to have tcpdump or dumpcap, given special privileges, and run on a machine to capture traffic with no need for any further privileges for the user.

But how can a superuser grant the aforementioned required privileges to a user? The answer basically lies in the fact that tcpdump or dumpcap which come with Wireshark should have special privileges for them to capture packets into a file. This file would require the opening of Wireshark for analysis with seriously restricted privileges. Even wireless networks could harness Aircrack wireless security tools and capture IEEE 802.11 frames to further read the resulting tcpdump dumpcap files with running Wireshark afterward.

Why do we need to restrict the users from privileges to freely run Wireshark and use its tools? This is basically because capturing traffic calls an enormous number of protocol dissectors, which could most probably arise a network security risk. Since there is a potential of finding a bug in one of these dissectors and thereby exploiting it, this puts the entire security system at a great risk. That is why running Ethereal/Wireshark in the past required superuser privileges for one to be responsible for what can potentially be affected.

Filtering Packets:

Sometimes we need to capture specific traffic packets such as traffic which a program sends when phoning home. While a large number of captured packets in a network, one has to close down all other applications using the network in order to get some specific traffic type. At this point emerges the importance of Wireshark’s filters. At the top of the window, there is a filter box at which we can simply type a certain filter name in order to apply this filter and then we should click Apply, or press Enter alternatively. For instance, to see only DNS packets, we type “DNS” in the filter box. Wireshark helps auto-complete a filter name while writing its name in the filter box.

Color Coding:

The colors Green, Blue, and Black distinguish the type of captured packets. Conventionally, green color indicates Transmission Control Protocol (TCP) traffic. Dark blue, on the other hand, is Name System (DNS) traffic, whereas light blue demonstrates User Datagram Protocol (UDP) traffic. Black shows TCP packets with problems such as being out-of-order.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References:

https://en.wikipedia.org/wiki/Wireshark

https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/amp/

https://www.wireshark.org/

https://wiki.wireshark.org/

http://sectools.org/

https://www.quora.com/unanswered/What-security-policies-can-you-check-using-Wireshark

Elsewhere, check out my other post about Metaspoilt.

Novice
$0
Join the infosec family! Your journey starts here. The free tier gives you limited access to our training materials.  
Sign Up
Regular use
$49
This is the second tier that includes limited access to our training materials and to our exclusive lab.    
Sign Up
Risky use
$69
This third tier gives you all the luxuries of the Free use and more. You have access to self-paced classes.  
Sign Up
Monthly use
$89
This last tier gives you the Free, Social and Problem use for just $89 a month. Plus you will save $29!!!
Sign Up

Dirb is a web content scanner

0 Comments
Members Only

Dirb is a web content scanner, it’s principal features are scanning and attacking folder that is hidden within websites, Dirb makes this possible using dictionary based attacks against the servers mostly HTTP requests.

Dirb comes with default wordlists to easy the process of the attacks, the main purpose of Dirb is to be used in web application auditing, it helps the professional’s to test the security parameters included to protect websites, Dirb occasionally coves some holes that are not covered by the classic tools used to scan website vulnerabilities, the reason is that Dirb looks for specific objects located on the website. it doesn’t look for general vulnerabilities, it’s purpose is to look for web content that can be vulnerable.

How Dirb works:

Dirb has an internal wordlist file that by default has around 4000 words for brute force attacks. There are also a lot more updated wordlists available over the internet that can be used as well. Dirb makes a search of the words in its wordlist in each directory or object of a server or a website. It might be an admin panel or a subdirectory that is vulnerable to attack. The most fundamental thing is to find the objects as they are hidden.

How to acquire it?

Download Dirb via Sourceforge: https://sourceforge.net/projects/dirb/

Using Dirb:

First, you need to download Dirb.

To uncompress the compressed Dirb file, you can use the next command:

sudo tar -xvzf dirb222.tar.gz

The Dirb folder is now uncompressed, and you can see it with ls command:

Go to the dirb directory and make executable configure with next command:

chmod u+x configure

Run configure and then type make:

Dirb is now installed, and you can use it with next command:

./dirb URL

Testing for Special Vulnerable list:

Dirb can be used to test for specific vulnerable objects within particular types of web technologies. Every web technology has its unique vulnerabilities. They are NOT all the same. Dirb can help one search for specific vulnerable objects specific to the particular technology. Also, we should mention that these tests are often performed over the TCP ports that handled the web services, these ports are:

  • TCP/80 – HTTP
  • TCP/443 – HTTPs, SSL

Also by the time of an attack, these ports must be opened to host the web services so the firewalls cannot do much about it to prevent attacks directed to these ports.

Dirb has specific wordlists to search for these vulnerable often hidden objects. You can find them at:

cd  wordlists/vulns

Then list the contents of that directory:

ls -l

There are some files listed for each of the specific vulnerabilities to test. If your web server is Apache and you want to test it use apache.txt

To run

./dirb http://webscantest.com  wordlists/vulns/apache.txt

Bash Scripting. Shebang

0 Comments
Members Only

Introduction:

The command interpreter or shell is a program that allows users to interact with the system, processing the orders that are indicated. The commands that can be invoked from the shell can be classified as internal (actually correspond to commands interpreted by the shell itself) and external (correspond to executable files external to the shell). In addition to commands, the shells offer other elements to improve their functionality, such as variables, functions or control structures. The set of internal commands and available elements, as well as their syntax, will depend on the concrete shell used.

In addition to using the shell from the command line (based on the prompt as the indication of the shell to announce waiting for a command from the user), it can be used to interpret shell-scripts. A shell-script or “command script” is a text file that contains a set of commands and commands interpretable by the shell.

In the S.O.’s Unix, there are multiple shell implementations (in Windows, the equivalent would be the “command.com” or “cmd.exe” programs). Attending the shell from which they come and their syntactic similarity (including their internal commands), the Unix shells can be classified into two large families (there are some additional shell, residual use and within the shells of the same family there are also differences, but much of its syntax is common).

What’s a bash script? What they are and what they do?

Simple, a bash script, allows you to execute commands from a “file”. What do we need to understand this? We need to understand that the “interpreter” is the shell. What do we mean when we say that the interpreter is the shell? Well, with a bash script, you can have unlimited functionality when it comes down to the Unix toolset, for example, if you are performing Python scripting, the whole idea of “modules” comes to mind, but, if we use bash scripting to create a script, it’s more convenient, because you won’t have to install dependencies, additional extensions or “modules”.

Is bash scripting better than Python scripting? Well, this point, depends on the background and perception of the programmer, but if you ask any system administrator, they will prefer bash scripting over Python, why?, because by comparing them, Python is less “reliable”
when it comes to “bashing”, on the other hand, in Unix, (remember, because the bash use the shell as an interpreter), the shell its build in on Unix, and will enable you to use the entire Unix toolset which means that you’ll be able to control sockets, just by typing each command on each line, this makes this process, very intuitive and easy to understand.

Running Bash scripts

Running a Bash script is fairly easy. Another term you may come across is “executing the script” (which means the same thing). Before we can execute a script it must have the execute permission set (for safety reasons this permission is generally not set by default). If you forget to grant this permission before running the script you’ll just get an error message telling you as such and no harm will be done.

Bash Scripting. Is the best… But, for what exactly?

Bash scripting allows system administrators to copy, update, and do backups of files, almost automatically. You can create bash scripts to do many tasks, that go from doing queries of data in an excel sheet file, up to compiling data, getting figures, and producing massive amounts of data. Of course, nothing is perfect, because when it comes to huge calculations that involve statistics and merging all the data types, it comes off short, Why? because the Shell its focus in running the system itself, but still is really useful for managing files, running scripts, programs, and especially, for automating tasks.

Lest create a simple bash script, as an example, and to understand the syntax and what do we mean by interpreting a file.

HELLO!

You can do this using any Unix/Linux operating system, and the editor (shell) of your choosing. Lest create a bash script that will display the word HELLO

echo hello

“echo” essentially is used to display the text “echoing” the tex back to you. This is basically a shell script. This is a command, that the shell will interpret when you press enter.

hello

You can see it interprets and the shell “understand” what you are trying to do. We can complicate things a little bit, for example, by scripting, essentially allowing you to execute a lot of this commands from a file, using the shell, a thing that, sometimes, many people forget, and how powerful this possibility is.

As we know, you can create the script on any text editor of our choosing.

Remember that the file that we are going to create must be saved as a Shell extension (.sh) and we can locate it, on any place we want. Lest create a file called Simple.sh and save it in our Desktop.

Now the first thing we must do it’s to declare what is the interpreter that we are going to use, in the file we just created.

Shebang

#!

This is called the “Shebang”, the reason it is called like this? because, this “#” is a “sharp” and this “!” is the bang, like the annotations you find in music sheets.
This characters #! are at the beginning of interpretable executable programs or scripts.
So, anything after the shebang line will essentially be used as the interpreter.

#!/bin/bash

In this case, the bash is going to be used as the interpreter of the script that we are going to create. Remember you can use any interpreter after the shebang:

#!/bin/python

For example, to create a reverse scripting for reverse shells on a client or the Shell when you want to perform a privilege escalation:

#!/bin/sh

The shell, remember, is different from the bash, given that the bash is considered a terminal instance, which will give you much more streamline experience when it comes down to using Unix/Linux operating systems, as for the shell, it is simply the interpreter of commands, and you know that this, won’t give you full access in terms of functionality.

We will use the bash.

In the following line we type the text we want to display between quotation marks, to make sure that everything in them, is printed out, but before we use our text editor to create the file Simple.sh, this can be visualized in the picture below:

Then we proceed to paste the following sentence into the new file

#!/bin/bash
echo “Hello world! This is the first shell script”

We save the script, now, let’s execute it.

We open our terminal and go to the location of the script we just created

cd root/Desktop

Lest make sure that we can execute the script giving to it “execute” permissions, using the chmod command:

/Desktop# chmod +x Simple.sh

Now to execute, we select the interpreter

/Desktop# ./

Where ./ is “telling” the terminal that he must use the specified interpreter indicated after the “Shebang” of the script we want to run.

Now we run it like this:

/Desktop# ./simple.sh

Getting the following result:

Hello world! This is the first shell script

This is a very simple example to explain the syntax behind this procedure. What do we mean with this? that now we can understand how we can execute a script (series of commands and bashes) from a file (in this case “Simple.sh”), how when we build a script we “instruct” it to be used by an interpreter.  To be able to know, by the Shebang present in a script, what is the interpreter you must use to run  it (if the script you are about to use was not created by you), or if you are creating one, leave the “instructions” for another user that will use the bash, to run it using the interpreter present in the Shebang with this command (./) without reviewing it. You can also set permissions in the script to be used only by certain users with the chmod command.

Easy HoneyPots – Canary Tokens:

0 Comments
Members Only

Introduction:

The familiarity of web bugs maybe some image that tracks some users when they open an email, these features work using unique embedding URL in a page image which creates a TAG and generates an incoming GET request.

Those are the principles of Canary Tokens, the application of the previously described aspect applied to file reads or queries database, the execution of queries or maybe to detect a pattern within log files. Canary tokens can be used to implant traps in every area located within your structure or production system which is more efficient than just setting separate honeypots as a beacon.

Technical details:

Network breaches happen more often nowadays, this problem can affect small businesses even large mega-corps, what is trying to be protected and be avoided with the implementation of these tokens is to found out immediately which kind of users are attempting to break out into our system.

Canary tokens are available for free in http://canarytokens.org you can download your own token to send a notification to your personal email whenever someone is trying to reach or open any specific file that you put into your network.

How tokens work:

  1. You visit the website mentioned before and get a free token which can be used like an URL or a hostname depending in the type of Honeypot that you have selected
  2. If an unauthorized user or an attacker uses the token that you have placed into your network, Canary will give you an out of band email that the token has been opened.
  3. At last, Canary provides a variety of tools and hints that increase the possibility of an attacker to trip over the token.

Demonstration of Usage:

As we mentioned before you can visit the site: http://canarytokens.org and select which type of Honeypot you want to add into your workspace they can vary the options available from different options as it can be seen in the picture shown below:

After you select the type of toke you want to use, you can add a description for the notification that is going to be sent to your email and you can click into “Create my CanaryToken” for the token to be created. This process can be seen in the picture below:

After we click on Create my Canarytoken the page is going to show you the address for the token, in this case, we selected a Microsoft Word Document, the page will allow you download the file and change the name to be more appealing for any attacker which may access into our computer. The download page can be visualized in the picture below:

Now we download the file and change the name of the file to a name that represents the store of delicate data like the one shown in the picture below:

We open the file and see that’s empty but the token was already activated. We check into the email address that we selected to receive the notification to see if canary send a notification for unauthorized access to our token.

As we can see CanaryToken represents a free and easy solution to set Honeypots across your work environment and control the execution of some features within your network, it represents a helpful defensive tool against possible threats and helpful framework to keep a record of possible threats that may affect your data integrity or the privacy of your files.

 

 

Hydra

0 Comments
Members Only

Hydra is a password cracking tool that is supported only on Linux systems. The tool comes as a pre-installed feature on Kali Linux and Parrot versions. The installation process is very simple it only requires the utilization of a command to get the installation. In case that hydra doesn’t show up as a pre-installed gadget is necessary to use the following command which assures the installation of hydra in our machine:

Installing Hydra:

The installation process of Hydra is quite simple, it can be performed with the following command, that will install all the necessary packets that will be required to use hydra.

apt-get install hydra

Hydra Options:

The syntax handled by the tool is simple it calls the name of the tool followed by options, host and the service where it’s going to be directed as is shown in the example below:

hydra (options) host (service)

The main functions of hydra  are mostly focused on the utilization of two flags:

  • – l: Which can be used for the representation of the users selected to look for
  • -P: Which represents the password list that is going to be used as a dictionary to perform the attack

These two flags call a specific file that is going to be used as a guide to direct the attacks, an example of the syntax can be seen on the sentence shown below:

hydra -l user1 -P wordlist.txt smb 

The declaration of the service can be avoided from the syntax but it may help the cracking process if we require the information seeking process on a specific file. It may also be useful to be specific on the folders that contain the file that we want to crack so it will ease the process.

Creating your own wordlist:

The generation of wordlist to serve as a dictionary for the attack can be accomplished using a program called crunch, which generates several combinations of letters and numbers depending on the options you use for its configuration. This process is essential for the attacking process because it will serve as the key to the attack, testing different wordlist will improve the capacity of the brute-force attack.

Crunch installation process:

The process of installation for crunch can be performed by typing the following command:

sudo apt-get install crunch

After the process is finished we can use crunch to generate our text file or insert the character into another program, an example of this can be visualized on the picture shown below:

After the process is finished we can look for the file into the folder we have selected:

Testing Hydra:

Now we have explained the different characteristics involving hydra, we are going to show a few examples of attacks over servers using hydra, The first is an attack over an FTP server, once we have created the wordlist and we possess the IP address assigned to the server. The attack can look like this:

As can be seen on the picture above, we managed to get the password for one of the users configured on the FTP server.  On the example below, we repeat the process over an SMB service with the same results.

hydra -l user1 -P wordlist.txt smb://45.76.60.202 

Other methodologies:

The next step is directed to the possibility to crack the password of an email account. Usually, the email services are referred to an SMPT service. The SMPT services are where the email services are handled. Using hydra we can specify the port where this service handles the email as is showed using hydra to direct the attack to the port 565 of smtp.gmail.com.server which will serve as an example for the following command:

hydra -l jdoe@gmail.com -P /root/Desktop/wordlist.txt -S 565 smtp.gmail.com smtp 

The last Hydra flag that is going to be presented is the (-x) flag. At times, a user can possess a ridiculously long and complicated password that direct attacks cannot crack, however, there’s one method that all passwords fall victim to, brute-force attacks. In a brute-force attack, every combination is used to determine the password. The CPU processor determines the speed, but in the long run, the password will be cracked. Here’s how the brute force option is invoked in hydra:

hydra -l John Doe -x Shortest length: longest length: combinations host

All, but the latter are executable by use of a software called THC-Hydra (Hydra).

Final Considerations:

Passwords are indeed the most commonly used mode of authentication. Of course, the attacks could be directed to exploit the system itself but as personal experience, it is much easier to hack a specific account that is password protected or is located on a server.

This can compromise the whole system itself. There is a wide range of methods that can be applied to crack passwords.  Another tool that can be used to fulfill this purpose is John the ripper which resembles the scope of Hydra but focused on the test the integrity of passwords. However, the ones discussed previously include Bruteforce, Dictionary, and direct attacks on the people (Phishing, Social Engineering and users lack of knowledge). All, but the latter are executable by use of a software called THC-Hydra (Hydra). Hydra can be merged with a tool called Nessus which is used for vulnerability scanning and often calls Hydra to complete the process. Below is an example video of hydra used to perform different attacks: