Author Topic: Basic Forensics with Wireshark  (Read 29511 times)

0 Members and 1 Guest are viewing this topic.

Offline Daemon

  • VIP
  • Baron
  • *
  • Posts: 845
  • Cookies: 153
  • A wise man fears a gentle mans anger
    • View Profile
Basic Forensics with Wireshark
« on: August 14, 2012, 11:08:09 pm »
Basic forensics using Wireshark

Wireshark is a free, open-source, packet analyzer that can be used both to capture packets and to read packet captures. Now this may sound like no big deal, so what if you can see some

packets on the network right? Not at all, using wireshark you are able to intercept passwords, re-create files that were transferred so that you know what the file is, even read emails that

were sent while Wireshark was running. It is also used to identify network performance issues to help decrease lag across your network.
Sound a bit more useful now?

Contents in this tutorial:

1. Setting up Wireshark-A few things to do
2. What does this mean? How to read a packet
2.5 Interesting packets, packets that mean something
3. TCP Stream
4. Extracting Data
5. Not Wireshark-But we have to finish!
6. In closing



Download the packet we will be using the this tutorial:   http://upload.evilzone.org/download.php?id=926911&type=zip

1. Setting up Wireshark

This is assuming you have wireshark installed and have a capture file to examine. Feel free to download the capture provided with this tutorial so that you can follow along.

First things first, after opening it up you see something like this:


Now starting from the left we have different columns that we can use to help us sort through all of this info. In order to read packets better you should go to Edit > Preferences > Columns and add Destination Port (unresolved) as a column. That tells us which port the packet is connecting on, 25 for smtp, 80 for http, and so on. This will help you identify what's going on and if a program is connecting through the correct port. Not so useful in the confines of this example packet or tutorial, but definitely worth having farther down the road. Feel free to sort the columns into whatever order you prefer, though personally i think it's helpful to keep the NO. column on the left. Please do so for this tutorial as I will be referencing packets by number.


2. How to Read a Packet

Now that we have our packets opened up, we'll sort them by number in descending order. Referring to the image above you can see that wireshark gives us a lot of info about each packet. The source and destination IP's tell you whether the packet came from the host (your computer for example) or the server/computer/website your connecting to. If we look at packet one, we see that our host is 192.168.0.150 and our destination is 192.168.0.100. From that alone we can tell that these two computers are on the same network, and assuming the subnetmask is 255.255.255.0 (the most common on home networks) then we can tell they are on the same subnet within the network. For a more detailed explanation check out    Networking-The Basics parts 1 and 2

The next columns we see are the destination port, and the protocol. The destination port tells you what port the packet went through, which if you use the list of ports found HERE can tell you a lot about the program being used. Again, not so useful within our example capture however. The protocol column tells you what protocol it's using:

-TCP
is the protocol that controls any inter-electronics communication, it uses a 3 way handshake using SYN, SYN/ACK, and ACK packets to talk and is it's own tutorial by itself. Just know that it exists, and is SUPER important to how computers talk to each other. For more info, HERE
-FTP is used for file sharing
-SMTP is used for email.
-HTTP is used for web browser's

For a full list of protocols check HERE. This tutorial is mostly concerned with the SMTP protocol in our capture file.

The final two columns are length and info, length tells you how large the packet is in bytes and info tells you all the juicy stuff. Just take a minute to scroll through and see what's going on in the Info column. Idk how to explain it, it just makes enough sense if you read english so that you can tell whether or not it's worth looking at (at least it does for me)



2.5 Interesting packets

Lets take a quick look at a few interesting packets, and why I consider them interesting:

This one has the word login. Need I say more? In this case it's not so important, but LOGIN is always worth looking out for ;)




This one has the word telnet, the original computer to computer protocol. And telnet is never encrypted :)  Again though, not important in this tutorial, but always worth looking out for.




Ah ha! Mail From. That's what were looking for ;)




Now lets look at the surrounding packets so we can see what all is going on here.




So from this block of packets, we can see that an email was sent from <root@localhost.local> to  <postmaster@localhost.local>  (both machines are on the same network remember)

Now that we have identified what we're looking for, time for the next step....



3. TCP Stream



Next step is to view the TCP stream, right click on any of those packets in that SMTP block and go to follow tcp stream. This also applies a filter to the top of your main wireshark screen which you need to clear after your finished reading the TCP Stream in order to get back to the entire capture. More on that later.



You should see a screen like this:




What's that? a backup password?? Must be important, take note of it :)





4. Extracting Data

Now we continue looking through our stream, however instead of looking through the whole thing again for interesting packets, lets sort by source type and scroll down to the SMTP protocols.

Don't forget to clear your filter!



All those packets labeled data fragment? That means that data was sent over the SMTP protocol, in other words an attachment of some sort. Now don't stress just because it says fragment, it's sent in fragments but our trusty Follow TCP Stream will show us the whole thing. Right click on one of those packets and follow the stream.




Unfortunately it's not sent in plain text like the message earlier. But if it's not in plain text then how does the recipient know how to view the file? Is it some super secret code he knows? Negative. The secret lies right here:




The encoding is Base64. Now this could mean many things, and if your first guess is to use a Base 64 decoder online then you wouldn't be the only one. However that won't work, as this isn't some algorithm but rather a way for the computer to translate the attachment into data that can then be interpreted into Binary and sent over the network. So rather than decoding, we simply hit Save As. in any folder you like, any name you like.

Another good guess would be to then open this file by right clicking > open with > 7zip (or your preferred unzipping program) as the file was labeled Backup.rar (right above where the encoding was) and .rar is the extension for zipped files. Again though, this won't work. The thing to remember is that this packet was sent by email, and in order for an email client to do that it first has to convert the data into a form that the client can read. So that confusing block of text that looked like a super secret code? is actually how the client interprets the computers interpretation of the data.

Confusing to read, but a simple solution. Open this file in an email client!! (i used Thunderbird, not sure if it will work on hotmail or any web-based email program. but just open it with Outlook if your on windows) However, you cant do an open with > thunderbird or your client will read it as an attachment. When in fact it's a saved message. Instead open up your client and go to file > open saved message. Make sure you have all files selected instead of saved message, then select your extracted file:





Open it up and we have a blank message, with an attachment called backup.rar!!! Save that attachment, and then run 7zip (or whatever you use) to extract the files from that .rar file and you will be prompted for a password. Remember the first SMTP protocol packets that we looked at? Try typing in that password, and voi la!!! We have the files! Congratulations, you have just completed your first attempt at forensics using Wireshark :)

These files are worthless btw, don't spend 10 mins trying to read something important out of them :P



6. In closing

Wireshark is one hell of a program, I fell in love with the simple GUI and the readability of it. I also find it extremely simple to use, and while there are many other packet capture programs out there, I won't be switching anytime soon. If you want practice with it, simply start a capture and connect to the internet or send an email then save the capture and try to see what info you can extract from it (FB uses an SSL so you won't be grabbing plain text login info. sorry to dissapoint :P )  Or check out sites with hacking challenges and attempt to do their forensics challenges, it's good practice.

Also, big thanks to RedBullAddicted who helped me learn how to use Wireshark and continues to help me better understand networking and protocols. And thanks to you for reading this tutorial, perhaps as I become more comfortable/fluent with Wireshark I will write a more advanced guide that covers the complexities of this program.


Cheers! ^_^
 

Suggested Reading:

OSI model
TCP/IP model


Disclaimer*
I did not make the capture file, a fellow I know created it for his own enjoyment and to let his friends play with for fun to "beat the challenge". I was given permission to use it here.
« Last Edit: January 27, 2013, 02:46:23 am by Daemon »
This lifestyle is strictly DIY or GTFO - lucid

Because sexploits are for h0edays - noncetonic


Xires burns the souls of HF skids as a power supply

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: Basic Forensics with Wireshark
« Reply #1 on: August 15, 2012, 05:51:07 am »
Damn, man. This time you really outdone yourself! :)
Very nice and informative article. +2 to you! :D (I don't have to wait an hour :P)

Offline hanorotu

  • Dj Rapture
  • VIP
  • Majesty
  • *
  • Posts: 1173
  • Cookies: 98
  • ( ͡° ʖ ͡°)
    • View Profile
    • Rapture
Re: Basic Forensics with Wireshark
« Reply #2 on: August 15, 2012, 06:24:32 am »
very nice I will try this


Life is hard, then you get buried.
If you want to use my work all of my music is licensed under GNU General Public License v3 (GPL-3) - http://bit.ly/TfUOBA

Offline RedBullAddicted

  • VIP
  • Sir
  • *
  • Posts: 519
  • Cookies: 189
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #3 on: August 15, 2012, 07:43:00 am »
+1 Very good... couldn't havb done it better by myself and I am using wireshark nearly everyday for my job. Nice that you mentioned that wireshark can even be used for doing good stuff like hunting network performance issues (e.g. looking for TCP Retransmissions and analyse why you have them).

Now that you have explained how people can find interessting stuff in a capture file they surely want to know how to capture stuff. I just want to add some ideas for further reading. You need to know that your capture quality depends on the point where you are capturing. For doing some analysis you should capture on both machines, the sender and the recipiant and compare your results later. Normally you will capture on your own box and for this you will only be able to see the traffic regarding your own machine (and some broadcasts like DHCP Discover and Request). Some things you can use to see a little bit more.
1. If you have access to a managed network switch you can implement a mirror port
2. Do some ARP poisoning like I have explained http://evilzone.org/tutorials/network-securtiy-features-and-how-to-get-pass-part-1-dynamic-arp-protection/
3. You can use some DHCP attacks (I am writing on a tutorial about that at the moment)
4. Use a Network Tab (google for it, they can be easily build by yourself)

Do you know the difference between a switch and a hub? Basically the switch only sends the traffic to the regarding port while a hub just sends it out to all ports. This means a hub is very nice for capturing. As I said before, an WLAN accesspoint is just working the same way as a hub.

Again... thanks for that great tutorial. You will become a great networking guy if you go on with this.  :)
Deep into that darkness peering, long I stood there, wondering, fearing, doubting, dreaming dreams no mortal ever dared to dream before. - Edgar Allan Poe

Offline z3ro

  • Knight
  • **
  • Posts: 345
  • Cookies: 60
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #4 on: August 15, 2012, 08:48:28 am »
+1 for you man! Awesome!
~ God is real. Unless declared as an integer.

Offline Daemon

  • VIP
  • Baron
  • *
  • Posts: 845
  • Cookies: 153
  • A wise man fears a gentle mans anger
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #5 on: August 15, 2012, 06:23:07 pm »
Wow, thanks for the great feedback guys. It's that sort of positive response that makes me want to write more tuts XD

@RedBullAddicted
Good points to bring up, guess I may have to write a tutorial about how to effectively capture using Wireshark next.

Quote
You will become a great networking guy if you go on with this.

^^ thats the plan lol
This lifestyle is strictly DIY or GTFO - lucid

Because sexploits are for h0edays - noncetonic


Xires burns the souls of HF skids as a power supply

Offline Crouton

  • /dev/null
  • *
  • Posts: 16
  • Cookies: 0
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #6 on: August 21, 2012, 08:47:31 am »
That was wonderful, thank you. I followed along with every step and at some points even found myself doing what I thought would come next, then reading the tut, and I was right. this is my first time using Wireshark and I'm glad its got such a simple interface (well for at least the things that you've gone over in this tutorial).

I do have two questions though:
1. When I was reading this I wasn't logged into the forum, then afterwards I started a capture, logged in, and stopped it to try to see if I could find in the packets my own login information. So I found my username, but next to it instead of my password it says "user=Crouton&passwrd=&cookielength=-1&hash_passwrd=7bbf264cdc9a2f868c839a436150bfd7e11fd68eHTTP/1.1 302 Found" how come it doesn't actually show my password?
2. My second question is how come right after that it says "Expires: Thu, 19 Nov 1981 08:52:00 GMT" would this be refering to the server?

Edit.
A third question just came to mind, if I'm using this program from my own computer to capture packets how do I use it to capture packets left by other people?

Sorry I sound like a noob, I'm just trying to learn.
« Last Edit: August 21, 2012, 08:52:26 am by Crouton »

Offline Daemon

  • VIP
  • Baron
  • *
  • Posts: 845
  • Cookies: 153
  • A wise man fears a gentle mans anger
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #7 on: August 21, 2012, 04:20:39 pm »
Nps man, asking questions IS how you learn. And they are good questions, not ones I answered in the tutorial lol.

Start from the top...

1. That's because it's encrypted, IDK if you were using our new SSL connection or not but either way most sites won't send password info unencrypted because it's just not safe. where it says "hash_passwrd=" is what tells you that it's encrypted (hash=encrypted text) so your more than welcome to run that hash through an md5, or sh1, or something. Just google some hashes and give it a whirl.

2. Expires = the cookie i think. but then again, i could be wrong seeing as how it says 1981.... gotta ask someone else for that. sorry :/

3. You can only capture packets on a network that you have admin access on, so if you have said access then you would then set wireshark to listen at the router thereby capturing all packets passed through it. If you dont have said access then you would need to somehow put wireshark on their computer or get them to use yours.
This lifestyle is strictly DIY or GTFO - lucid

Because sexploits are for h0edays - noncetonic


Xires burns the souls of HF skids as a power supply

Offline relax

  • Sir
  • ***
  • Posts: 562
  • Cookies: 114
  • The one and only
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #8 on: August 21, 2012, 04:36:37 pm »
thanks for the great tutorial
really well written

cookielength=-1&hash_passwrd=7bbf264cdc9a2f868c839a436150bfd7e11fd68eHTTP/1.1 302 F
you soulden't give out your own passwordhash. it is your password just encrypted. you can use online decrypters or john to crack it
i recommend you change your password if you haven't already..



« Last Edit: August 21, 2012, 04:37:33 pm by relax »

Offline Artificial

  • NULL
  • Posts: 2
  • Cookies: 0
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #9 on: September 03, 2012, 10:58:48 pm »
Are your pictures like that or are they cut off because of the forums?

Offline Daemon

  • VIP
  • Baron
  • *
  • Posts: 845
  • Cookies: 153
  • A wise man fears a gentle mans anger
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #10 on: September 04, 2012, 02:05:15 am »
Are your pictures like that or are they cut off because of the forums?

Not sure. What browser are you using? They work just fine in firefox. If your talking about the height of sone of yhen theb that's because I deliberately made them small to emphasize a particular piece of information without having to do a lot of photoediting. I hate photoediting lol
+1 man, this is awesome

Thank you :)
« Last Edit: September 04, 2012, 02:05:35 am by Daemon »
This lifestyle is strictly DIY or GTFO - lucid

Because sexploits are for h0edays - noncetonic


Xires burns the souls of HF skids as a power supply

Offline 4p3x

  • /dev/null
  • *
  • Posts: 15
  • Cookies: 0
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #11 on: September 04, 2012, 03:45:24 am »
I absolutely love wireshark! nice information you gave there! but if someone does want a facebook password then run SSLstrip. I'm sure you've heard of it but just enable port fowarding and set up iptables and arpspoof your victim and use sslstrip to remove most SSL. I don't think this program works on gmail but it works nice on everything else! i've tested it on bank websites, paypal, ebay and facebook. I'm sure you can google how to successfully run sslstrip if you don't know how or you can message me and I'll give you the steps! Again man, nice post on this Wireshark. +1 (:

Offline bluephantom

  • Serf
  • *
  • Posts: 23
  • Cookies: 0
  • Malanghackerlink
    • View Profile
    • My Profile
Re: Basic Forensics with Wireshark
« Reply #12 on: September 04, 2012, 06:24:37 am »
nice share  ;D
“Maybe there are no right moments, right guys, right answers, maybe sometimes you just to say what’s in your heart”

Offline Ullen

  • Peasant
  • *
  • Posts: 65
  • Cookies: 5
  • I may be down, but i'm not out!!
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #13 on: October 21, 2012, 05:21:51 pm »
Thanks. Great tutorial. +1
"The only real wisdom is knowing you know nothing"

Offline geXXos

  • Royal Highness
  • ****
  • Posts: 646
  • Cookies: 178
    • View Profile
Re: Basic Forensics with Wireshark
« Reply #14 on: October 26, 2012, 02:24:36 pm »
Well done man,i learned something by you, +1 by me too.
I have to read more about protocols etc. though cause i can't grasp some things.