EvilZone
Hacking and Security => Tutorials => : Daemon August 14, 2012, 11:08:09 PM
-
Basic forensics using Wireshark
Wireshark is a free, open-source, packet analyzer that can be used both to capture packets and to read packet captures. Now this may sound like no big deal, so what if you can see some
packets on the network right? Not at all, using wireshark you are able to intercept passwords, re-create files that were transferred so that you know what the file is, even read emails that
were sent while Wireshark was running. It is also used to identify network performance issues to help decrease lag across your network.
Sound a bit more useful now?
Contents in this tutorial:
1. Setting up Wireshark-A few things to do
2. What does this mean? How to read a packet
2.5 Interesting packets, packets that mean something
3. TCP Stream
4. Extracting Data
5. Not Wireshark-But we have to finish!
6. In closing
Download the packet we will be using the this tutorial: http://upload.evilzone.org/download.php?id=926911&type=zip (http://upload.evilzone.org/download.php?id=926911&type=zip)
1. Setting up Wireshark
This is assuming you have wireshark installed and have a capture file to examine. Feel free to download the capture provided with this tutorial so that you can follow along.
First things first, after opening it up you see something like this:
(http://i46.tinypic.com/1izsl5.jpg)
Now starting from the left we have different columns that we can use to help us sort through all of this info. In order to read packets better you should go to Edit > Preferences > Columns and add Destination Port (unresolved) as a column. That tells us which port the packet is connecting on, 25 for smtp, 80 for http, and so on. This will help you identify what's going on and if a program is connecting through the correct port. Not so useful in the confines of this example packet or tutorial, but definitely worth having farther down the road. Feel free to sort the columns into whatever order you prefer, though personally i think it's helpful to keep the NO. column on the left. Please do so for this tutorial as I will be referencing packets by number.
2. How to Read a Packet
Now that we have our packets opened up, we'll sort them by number in descending order. Referring to the image above you can see that wireshark gives us a lot of info about each packet. The source and destination IP's tell you whether the packet came from the host (your computer for example) or the server/computer/website your connecting to. If we look at packet one, we see that our host is 192.168.0.150 and our destination is 192.168.0.100. From that alone we can tell that these two computers are on the same network, and assuming the subnetmask is 255.255.255.0 (the most common on home networks) then we can tell they are on the same subnet within the network. For a more detailed explanation check out Networking-The Basics parts 1 (http://evilzone.org/tutorials/networking-the-basics-part-12/) and 2 (http://evilzone.org/tutorials/networking-the-basics-part-22/)
The next columns we see are the destination port, and the protocol. The destination port tells you what port the packet went through, which if you use the list of ports found HERE (http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers) can tell you a lot about the program being used. Again, not so useful within our example capture however. The protocol column tells you what protocol it's using:
-TCP is the protocol that controls any inter-electronics communication, it uses a 3 way handshake using SYN, SYN/ACK, and ACK packets to talk and is it's own tutorial by itself. Just know that it exists, and is SUPER important to how computers talk to each other. For more info, HERE (http://en.wikipedia.org/wiki/Transmission_Control_Protocol)
-FTP is used for file sharing
-SMTP is used for email.
-HTTP is used for web browser's
For a full list of protocols check HERE (http://en.wikipedia.org/wiki/Lists_of_network_protocols). This tutorial is mostly concerned with the SMTP protocol in our capture file.
The final two columns are length and info, length tells you how large the packet is in bytes and info tells you all the juicy stuff. Just take a minute to scroll through and see what's going on in the Info column. Idk how to explain it, it just makes enough sense if you read english so that you can tell whether or not it's worth looking at (at least it does for me)
2.5 Interesting packets
Lets take a quick look at a few interesting packets, and why I consider them interesting:
This one has the word login. Need I say more? In this case it's not so important, but LOGIN is always worth looking out for ;)
(http://i45.tinypic.com/4v65gz.jpg)
This one has the word telnet, the original computer to computer protocol. And telnet is never encrypted :) Again though, not important in this tutorial, but always worth looking out for.
(http://i49.tinypic.com/30vljf7.jpg)
Ah ha! Mail From. That's what were looking for ;)
(http://i45.tinypic.com/f09lrr.jpg)
Now lets look at the surrounding packets so we can see what all is going on here.
(http://i48.tinypic.com/mhfud.jpg)
So from this block of packets, we can see that an email was sent from <root@localhost.local> to <postmaster@localhost.local> (both machines are on the same network remember)
Now that we have identified what we're looking for, time for the next step....
3. TCP Stream
Next step is to view the TCP stream, right click on any of those packets in that SMTP block and go to follow tcp stream. This also applies a filter to the top of your main wireshark screen which you need to clear after your finished reading the TCP Stream in order to get back to the entire capture. More on that later.
(http://i46.tinypic.com/i1cn04.jpg)
You should see a screen like this:
(http://i45.tinypic.com/291g8t4.jpg)
What's that? a backup password?? Must be important, take note of it :)
4. Extracting Data
Now we continue looking through our stream, however instead of looking through the whole thing again for interesting packets, lets sort by source type and scroll down to the SMTP protocols.
Don't forget to clear your filter!
(http://i46.tinypic.com/5ppshf.jpg)
All those packets labeled data fragment? That means that data was sent over the SMTP protocol, in other words an attachment of some sort. Now don't stress just because it says fragment, it's sent in fragments but our trusty Follow TCP Stream will show us the whole thing. Right click on one of those packets and follow the stream.
(http://i48.tinypic.com/n1xob9.jpg)
Unfortunately it's not sent in plain text like the message earlier. But if it's not in plain text then how does the recipient know how to view the file? Is it some super secret code he knows? Negative. The secret lies right here:
(http://i49.tinypic.com/206d6rc.jpg)
The encoding is Base64. Now this could mean many things, and if your first guess is to use a Base 64 decoder online then you wouldn't be the only one. However that won't work, as this isn't some algorithm but rather a way for the computer to translate the attachment into data that can then be interpreted into Binary and sent over the network. So rather than decoding, we simply hit Save As. in any folder you like, any name you like.
Another good guess would be to then open this file by right clicking > open with > 7zip (or your preferred unzipping program) as the file was labeled Backup.rar (right above where the encoding was) and .rar is the extension for zipped files. Again though, this won't work. The thing to remember is that this packet was sent by email, and in order for an email client to do that it first has to convert the data into a form that the client can read. So that confusing block of text that looked like a super secret code? is actually how the client interprets the computers interpretation of the data.
Confusing to read, but a simple solution. Open this file in an email client!! (i used Thunderbird, not sure if it will work on hotmail or any web-based email program. but just open it with Outlook if your on windows) However, you cant do an open with > thunderbird or your client will read it as an attachment. When in fact it's a saved message. Instead open up your client and go to file > open saved message. Make sure you have all files selected instead of saved message, then select your extracted file:
(http://i49.tinypic.com/2r6mhbl.jpg)
Open it up and we have a blank message, with an attachment called backup.rar!!! Save that attachment, and then run 7zip (or whatever you use) to extract the files from that .rar file and you will be prompted for a password. Remember the first SMTP protocol packets that we looked at? Try typing in that password, and voi la!!! We have the files! Congratulations, you have just completed your first attempt at forensics using Wireshark :)
These files are worthless btw, don't spend 10 mins trying to read something important out of them :P
6. In closing
Wireshark is one hell of a program, I fell in love with the simple GUI and the readability of it. I also find it extremely simple to use, and while there are many other packet capture programs out there, I won't be switching anytime soon. If you want practice with it, simply start a capture and connect to the internet or send an email then save the capture and try to see what info you can extract from it (FB uses an SSL so you won't be grabbing plain text login info. sorry to dissapoint :P ) Or check out sites with hacking challenges and attempt to do their forensics challenges, it's good practice.
Also, big thanks to RedBullAddicted who helped me learn how to use Wireshark and continues to help me better understand networking and protocols. And thanks to you for reading this tutorial, perhaps as I become more comfortable/fluent with Wireshark I will write a more advanced guide that covers the complexities of this program.
Cheers! ^_^
Suggested Reading:
OSI model (http://en.wikipedia.org/wiki/OSI_model)
TCP/IP model (http://en.wikipedia.org/wiki/Internet_protocol_suite)
Disclaimer*
I did not make the capture file, a fellow I know created it for his own enjoyment and to let his friends play with for fun to "beat the challenge". I was given permission to use it here.
-
Damn, man. This time you really outdone yourself! :)
Very nice and informative article. +2 to you! :D (I don't have to wait an hour :P)
-
very nice I will try this
-
+1 Very good... couldn't havb done it better by myself and I am using wireshark nearly everyday for my job. Nice that you mentioned that wireshark can even be used for doing good stuff like hunting network performance issues (e.g. looking for TCP Retransmissions and analyse why you have them).
Now that you have explained how people can find interessting stuff in a capture file they surely want to know how to capture stuff. I just want to add some ideas for further reading. You need to know that your capture quality depends on the point where you are capturing. For doing some analysis you should capture on both machines, the sender and the recipiant and compare your results later. Normally you will capture on your own box and for this you will only be able to see the traffic regarding your own machine (and some broadcasts like DHCP Discover and Request). Some things you can use to see a little bit more.
1. If you have access to a managed network switch you can implement a mirror port
2. Do some ARP poisoning like I have explained http://evilzone.org/tutorials/network-securtiy-features-and-how-to-get-pass-part-1-dynamic-arp-protection/ (http://http://evilzone.org/tutorials/network-securtiy-features-and-how-to-get-pass-part-1-dynamic-arp-protection/)
3. You can use some DHCP attacks (I am writing on a tutorial about that at the moment)
4. Use a Network Tab (google for it, they can be easily build by yourself)
Do you know the difference between a switch and a hub? Basically the switch only sends the traffic to the regarding port while a hub just sends it out to all ports. This means a hub is very nice for capturing. As I said before, an WLAN accesspoint is just working the same way as a hub.
Again... thanks for that great tutorial. You will become a great networking guy if you go on with this. :)
-
+1 for you man! Awesome!
-
Wow, thanks for the great feedback guys. It's that sort of positive response that makes me want to write more tuts XD
@RedBullAddicted
Good points to bring up, guess I may have to write a tutorial about how to effectively capture using Wireshark next.
You will become a great networking guy if you go on with this.
^^ thats the plan lol
-
That was wonderful, thank you. I followed along with every step and at some points even found myself doing what I thought would come next, then reading the tut, and I was right. this is my first time using Wireshark and I'm glad its got such a simple interface (well for at least the things that you've gone over in this tutorial).
I do have two questions though:
1. When I was reading this I wasn't logged into the forum, then afterwards I started a capture, logged in, and stopped it to try to see if I could find in the packets my own login information. So I found my username, but next to it instead of my password it says "user=Crouton&passwrd=&cookielength=-1&hash_passwrd=7bbf264cdc9a2f868c839a436150bfd7e11fd68eHTTP/1.1 302 Found" how come it doesn't actually show my password?
2. My second question is how come right after that it says "Expires: Thu, 19 Nov 1981 08:52:00 GMT" would this be refering to the server?
Edit.
A third question just came to mind, if I'm using this program from my own computer to capture packets how do I use it to capture packets left by other people?
Sorry I sound like a noob, I'm just trying to learn.
-
Nps man, asking questions IS how you learn. And they are good questions, not ones I answered in the tutorial lol.
Start from the top...
1. That's because it's encrypted, IDK if you were using our new SSL connection or not but either way most sites won't send password info unencrypted because it's just not safe. where it says "hash_passwrd=" is what tells you that it's encrypted (hash=encrypted text) so your more than welcome to run that hash through an md5, or sh1, or something. Just google some hashes and give it a whirl.
2. Expires = the cookie i think. but then again, i could be wrong seeing as how it says 1981.... gotta ask someone else for that. sorry :/
3. You can only capture packets on a network that you have admin access on, so if you have said access then you would then set wireshark to listen at the router thereby capturing all packets passed through it. If you dont have said access then you would need to somehow put wireshark on their computer or get them to use yours.
-
thanks for the great tutorial
really well written
cookielength=-1&hash_passwrd=7bbf264cdc9a2f868c839a436150bfd7e11fd68eHTTP/1.1 302 F
you soulden't give out your own passwordhash. it is your password just encrypted. you can use online decrypters or john to crack it
i recommend you change your password if you haven't already..
-
Are your pictures like that or are they cut off because of the forums?
-
Are your pictures like that or are they cut off because of the forums?
Not sure. What browser are you using? They work just fine in firefox. If your talking about the height of sone of yhen theb that's because I deliberately made them small to emphasize a particular piece of information without having to do a lot of photoediting. I hate photoediting lol
+1 man, this is awesome
Thank you :)
-
I absolutely love wireshark! nice information you gave there! but if someone does want a facebook password then run SSLstrip. I'm sure you've heard of it but just enable port fowarding and set up iptables and arpspoof your victim and use sslstrip to remove most SSL. I don't think this program works on gmail but it works nice on everything else! i've tested it on bank websites, paypal, ebay and facebook. I'm sure you can google how to successfully run sslstrip if you don't know how or you can message me and I'll give you the steps! Again man, nice post on this Wireshark. +1 (:
-
nice share ;D
-
Thanks. Great tutorial. +1
-
Well done man,i learned something by you, +1 by me too.
I have to read more about protocols etc. though cause i can't grasp some things.
-
Well done man,i learned something by you, +1 by me too.
I have to read more about protocols etc. though cause i can't grasp some things.
Hmm.
http://compnetworking.about.com/od/networkprotocols/g/protocols.htm
that should give you a decent start. check all the links at the bottom. Basically though protocols are what allow the transfer of information over networks and the internet by creating certain standards for different types of applications/data and protocols also helps prevent data from being formed improperly which could cause a problem with the receiving computer/router/switch.
Thanks for all the positive feedback guys :)
-
Thank you for the link man,very interesting, i appreciate your help.
-
+1 nice tutorial
-
Great SHARE !! THANK YOU!!
-
now, I recently went on a certain website... and I was shocked at what I found. This same file, (it must be... same email, and TCP stream) is being used there as a task they have, and apparently, in the recruitment process, they may possibly ask you how you solved the puzzle in this. Daemon, That's given me even more incentive to go through it XD :)
-
now, I recently went on a certain website... and I was shocked at what I found. This same file, (it must be... same email, and TCP stream) is being used there as a task they have, and apparently, in the recruitment process, they may possibly ask you how you solved the puzzle in this. Daemon, That's given me even more incentive to go through it XD :)
Lol could be, if its the site im thinking of its not an actual recruitment process, thats just the scenario. I got the capture file from a guy I know who made it for others to mess with for fun, and he said it's cool if i used it for the demo.
Cheers though man, good luck with that :)
-
What a tut, Daemon. +1 to you. This tut helped me in passing the forensic challenges of SO.Thank you very much.
-
Yeah, it's just a scenario, that they may ask you about. stumbling on that site though, has made me reevaluate how I teach myself this stuff.
+1 from me, for both the help, and for the source. very useful guide. It's brilliant!
-
That's a very good tutorial. I recently started to use Wireshark, so this will come in handy. Thank you and +1.
-
on my server there are lines that are saying stuff like "hey who is xxx.xxx.xxx.xxx respond to xx.xxx.xxx.xxx" and i was wondering how to send packets like that to the router
-
on my server there are lines that are saying stuff like "hey who is xxx.xxx.xxx.xxx respond to xx.xxx.xxx.xxx" and i was wondering how to send packets like that to the router
I have no idea what your asking. You mean packets in your capture that are like syn from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx?
I think what your asking about is sending syn, syn/ack packets to a server to check for a response right? If so then use nmap or another port scanning utility like that. If your asking about using code to do it, then ask in our c++ or python forums.
If im way off then please specify a bit more what your trying to do with details and posiibly examples and/or your end goal and ill see what i can do to help you out
@Deque
Thanks man, if your trying to do the SO foensics challenges yhen this article should help a lot. Glad i could help you out some man :)
-
I have no idea what your asking. You mean packets in your capture that are like syn from xxx.xxx.xxx.xxx to xxx.xxx.xxx.xxx?
I think what your asking about is sending syn, syn/ack packets to a server to check for a response right? If so then use nmap or another port scanning utility like that. If your asking about using code to do it, then ask in our c++ or python forums.
If im way off then please specify a bit more what your trying to do with details and posiibly examples and/or your end goal and ill see what i can do to help you out
@Deque
Thanks man, if your trying to do the SO foensics challenges yhen this article should help a lot. Glad i could help you out some man :)
thanks for trying to help, but im good. however. i do have one question i have packets just have a lot of giberish and i was wondering if there was a way i could understand it.
"[size=78%].....Y'yj0D...&.Gz..a.....]...... %L.{.xr....]DE..q..`....h..............j...#......Y<y......R..... .a..N_(...-m..$[....V27:hR=.j........a.D.<L!fk.O..Y.M..P.s.{..... .....k.z....o.Y......X:J...&.6..........7.<.J......}fY..f...9.... wF........I.........c...;.....>......h;[/size]
... "...!\...sz....e3.... ..A&..Y.E...:.M...V.\;i.......z.......K.)]D..Ah4.k..y...On&=..... .....
......UE.f."JG.~{.......3>.....{m..8...`.?!.O..
.H.x..o.... x....<.m%N)./..kns{#.o...Y.Y%{............6......x.>...8..b^
....
........u...^.R..aU.B.n6.}..M.$......8.UX...o.Tn...6...@m.K..... ..H..!hX.~..De{.]..~..k#X8.?.!..........n=...2..?D.M..v.!o....... ....D.G..#....Y.%.~H.8.r>.H.H.Q......oe............&..b..L....... ~..\.B/Yi-i...mq....'..P.............H...5....W..S.q....D..z..... Q.8w-''.R5.fnmC&...HLC....^.gxi......N..).g&6..QW.zH@K.B..g...... .}7.8..r..DJ$..-0UO.Z..'.!v....g......A.?pSP.-Oz#V#....[)...1.... #Tm...J.".K2...X.p.~W...r..U..pK......) ...r(..=a...L]..;..Z.... .......P..(.D(.$........}...0........;.....".f..].Wa.h&8.B..0.... LF.r....S......I."...R.N...L6..~.........|U.9
'}.....#.
.^Y...... n.I...a."..p..bg.t4.|
,n.yJ...,......z.B/..W.9.K^....ZF.!\.ek.... ,..yY..7wn .S...#...o.y...0.&..."
-
Depends, is it gibberish because its a file? If so just save it and open it like i did in the tutorial with the rar file.
If its because you captured an ssl stream (facebook) then theres nothing you can do that im aware of. It really just depends on where you got the packet capture from. If you want to PM me ill do what i can fo help you out.
Edit*
Check the encoding as well, that may give you a hint as to if you can view it or not. Thougj if its ssl your SOL as far as im aware.
-
im going to just poke around on my own. and thanks for being an awesome dude.
-
im going to just poke around on my own. and thanks for being an awesome dude.
+1 He really is <3 u Daemon 8)
-
+1 He really is <3 u Daemon 8)
:D
I love you guys. Buttsecks skidiot?
And thanks to you too Griffon :)
-
Ok, here is my problem.
I can see data from my computer but not from the router.
So I googled and it said that I need to mitm.
tried that but not working. Anyone help?
-
:D
I love you guys. Buttsecks skidiot?
And thanks to you too Griffon :)
(http://t.qkme.me/3pbfz0.jpg)
(http://i39.photobucket.com/albums/e184/Cob450/SurpriseButtsecks.jpg)
-
Ok, here is my problem.
I can see data from my computer but not from the router.
So I googled and it said that I need to mitm.
tried that but not working. Anyone help?
Between the router and another computer? If so then yeah, you need mitm or to run wireshark on the router itself.
-
im just happy to get help cause other places i have been the people were not as nice/helpful. It was either you knew what you were doing or gtfo.
one more thing, it only seems like my activity is being put up onto wire shark and im in a college dorm so i know im not the only one on. any idea why it is like that and how can i change it?
Staff note: double post!
-
Thanks a lot man. This tutorial is awesome. I recently started to learn about Nmap & Wireshark. This is going to help me a lot.
-
one more thing, it only seems like my activity is being put up onto wire shark and im in a college dorm so i know im not the only one on. any idea why it is like that and how can i change it?
Seems like you are on a switched network which means only traffic directed to your client will be send to your machine (network card). Thats basically the difference between a hub and a switch. If you were connected to a hub you would see all traffic cause the hub just sends out the data to all connected clients. Wireless Access Points work the same way as a hub. There are some other things you are able to see cause they are send as a broadcast (directed to all clients on a subnet) which brings us to your next question.
on my server there are lines that are saying stuff like "hey who is xxx.xxx.xxx.xxx respond to xx.xxx.xxx.xxx" and i was wondering how to send packets like that to the router
This is a standard ARP request and a pretty good example for traffic that is send as broadcast. ARP is a layer 2 protocol and every client has a ARP table which gets dynamically updated in a specific time interval. The ARP table is used to create a IP Address - MAC binding. You can use tools like ettercap or you can script your own with python/scapy (its the most simple way) to perform ARP Protocol based attacks. This for example would be a way to capture traffic which is normally not visible for you (just a very basic explanation). If you want to learn more about ARP and the attack and the way network administrators are able to stop it please read this one (shameless plug.. lol)
http://evilzone.org/tutorials/network-securtiy-features-and-how-to-get-pass-part-1-dynamic-arp-protection/ (http://evilzone.org/tutorials/network-securtiy-features-and-how-to-get-pass-part-1-dynamic-arp-protection/)
EDIT:
lol.. I really had the feeling I am repeating what I already said and it is true. Its the third reply on the first page of that thread
+1 Very good... couldn't havb done it better by myself and I am using wireshark nearly everyday for my job. Nice that you mentioned that wireshark can even be used for doing good stuff like hunting network performance issues (e.g. looking for TCP Retransmissions and analyse why you have them).
Now that you have explained how people can find interessting stuff in a capture file they surely want to know how to capture stuff. I just want to add some ideas for further reading. You need to know that your capture quality depends on the point where you are capturing. For doing some analysis you should capture on both machines, the sender and the recipiant and compare your results later. Normally you will capture on your own box and for this you will only be able to see the traffic regarding your own machine (and some broadcasts like DHCP Discover and Request). Some things you can use to see a little bit more.
1. If you have access to a managed network switch you can implement a mirror port
2. Do some ARP poisoning like I have explained http://evilzone.org/tutorials/network-securtiy-features-and-how-to-get-pass-part-1-dynamic-arp-protection/ (http://http://evilzone.org/tutorials/network-securtiy-features-and-how-to-get-pass-part-1-dynamic-arp-protection/)
3. You can use some DHCP attacks (I am writing on a tutorial about that at the moment)
4. Use a Network Tab (google for it, they can be easily build by yourself)
Do you know the difference between a switch and a hub? Basically the switch only sends the traffic to the regarding port while a hub just sends it out to all ports. This means a hub is very nice for capturing. As I said before, an WLAN accesspoint is just working the same way as a hub.
Again... thanks for that great tutorial. You will become a great networking guy if you go on with this.
You guys should just read all posts on a thread before you start to ask questions.. lol :)
@Griffon Bossi: please edit your post and do not double post. If skidiot.h sees this he will not be amused :)
Damn.. nearly forgot it.. you guys really make me jealous. Can I join the Buttseckz Daemon, skidiot?.. we can make it a real orgy :) lol
-
Damn.. nearly forgot it.. you guys really make me jealous. Can I join the Buttseckz Daemon, skidiot?.. we can make it a real orgy :) lol
(http://img.photobucket.com/albums/v373/BigDozer66/GIFs/Buttsecks-monkeys.jpg)
(http://i32.tinypic.com/2nq9nyh.jpg)
ACCEPTED