Sniffing and Recovering Network Information Using Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets, it runs on various Unix-like operating systems including Linux, OS X, BSD, and Solaris, and on Microsoft Windows.
You can download Wireshark for Windows or Mac OS X from the official website (http://www.wireshark. org/download.html). Most Linux systems have pre installed Wireshark tool. In the case that Wireshark is not installed you can just follow the bellow documentaiton and run the proper command for each operation system: Building and Installing Wireshark (http://www.wireshark.org/docs/wsug_html_chunked/ ChapterBuildInstall.html). Wireshark needs to be run as the root user in your system. After Wireshark run, will give you a message – warning that you are running it as root, and that it might be dangerous.
Capture Interfaces
We can get an overview of the available local interfaces by navigating on Capture menu tab and then clicking the Interfaces option as shown Figure 1. By clicking the Option button Wireshark pops up the “Capture Options” dialog box. The table shows the settings for all available interfaces including a lot of information for each one and some checkboxes like:
• Capture on all interfaces – As Wireshark can capture on multiple interfaces, it is possible to choose to capture on all available interfaces.
• Capture all packets in promiscuous mode – This checkbox allows you to specify that Wireshark should put all interfaces in promiscuous mode when capturing.
By clicking the Start button we will see a lot of packets start appearing in real time. Wireshark captures each packet sent from (Source) or to (Destination) our system.
User Interface
Before proceed to analyze our traffic network we will explain the basic information we need to know about the packet list pane, the color rules, the packet details pane and the packet bytes pane.
Packet List pane
The packet list pane displays all the packets in the current capture file. Each line in the packet list
corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed on Packet Details and Packet Bytes panes.
The default columns will show:
• No. – The number of the packet in the capture file. This number won’t change, even if a display filter is used.
• Time – The timestamp of the packet. The presentation format of this timestamp can be changed.
• Source – The address where this packet is coming from.
• Destination – The address where this packet is going to.
• Protocol – The protocol name in a short (perhaps abbreviated) version.
• Info – Additional information about the packet content.
Color Rules
A very useful mechanism available in Wireshark is packet colorization. There are two types of coloring rules in Wireshark; temporary ones that are only used until you quit the program, and permanent ones that will be saved to a preference file so that they are available on a next session. So let’s focus to most important name filters. Green Color refers to TCP packets but black identifies corrupted TCP packets. Light Blue refers to UDP packets and dark blue on DNS traffic. For more information or if we would like to edit/add our own color rules we can navigate to View menu and click the Coloring Rules.
Packet Details Pane
The packet details pane shows the current packet (selected in the “Packet List” pane) in a more detailed form. This pane shows the protocols and protocol fields of the packet selected in the “Packet List” pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed.
Packet Bytes Pane
The packet bytes pane shows the data of the current packet in a hexdump style. The left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters are displayed.
Start Capturing – Analyzing
At this part we will start capturing once more our network, so click from Capture menu the Start option. Next we will attempt to login to an account and will analyze it into wireshark tool to see if we can find important information. As we can see there are lot of packets that Wireshark appears. A valuable options here is the Filter mechanism which lets us quickly edit and apply-display filters. Let’s isolate the http packets by typing http string on filter tab. As we can see the packet list pane shows only HTTP protocols. We need to locate the HTTP protocol and identify the response of the Host which attempted to login. Looking at the highlighted results, we can determine at info tab that there are packages which contain the GET method. Let’s focus at this information and explain it.
Note
GET method requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect. At the packet list pane click the Hypertext Transfer Protocol, as we can see the GET method appears and also a lot of important information such as the request version of the Server, the Host and the User-Agent which contains the browser version and the OS that the user used to login. Next we want to examine the full conversation between the client and the server by accessing the Follow TCP Stream option (right click on the packet and then choose Follow TCP Stream). A pop-up window will appear which will contain the entire conversation on stream content. The red words indicates the request and the blue the response of the Host. Also as we can notice choosing the Follow TCP Stream option Wireshark automatically added the property filter in Filter area.
By reviewing the highlighted code closely on Figure 3 we can see that the index.php action has two
inputs, the username and the password. We can identify on Packet List pane a POST Request method
from our machine to the server using HTTP protocol. Selecting once more the Hypertext Transfer
Protocol tree we can verify the request and the method which used to login to the Host.
Note
POST method requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, as examples, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database.
As we can notice on packet details pane there is also a new tree line named Line-based text data: By clicking once it we can see the POST request which contains the username and the password in clear text. Also checking the packet bytes pane we can draw the same information on Hex or Bit View.
Cracking – Analyzing W-Network
At this part of article we will explain how we can have access to our WLAN network, how to retrieve the wireless password and finally how can use it to analyze the traffic packets into Wireshark.
First we will run the following command to get a list of our network interfaces:
wizard32@wizard32:~$ sudo airmon-ng
Interface Chipset Driver
wlan0 Unknown iwlwifi – [phy0]
As we can notice the only available interface is the wlan0 adapter. To capture network traffic without being associated with an access point, we need to set the wireless network adapter in monitor mode (Listing 1).
Listing 1. Setting wireless network adapter in monitor mode
wizard32@wizard32:~$ sudo airmon-ng start wlan0
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1103 NetworkManager
1121 avahi-daemon
1125 avahi-daemon
1299 wpa_supplicant
Interface Chipset Driver
wlan0 Unknown iwlwifi – [phy0]
(monitor mode enabled on mon0)
Next run once more the Wireshark tool and navigate to Capture menu and click Interfaces option. As we mention before monitor mode enabled on mon0 so on wireshark pop-up window select the mon0 as capture interface and click start (Figure 5). After starting the capturing we locate multiple SSID access points. By typing HTTP or DNS on Filter menu, Wireshark doesn’t return any result. Looking on packet pist pane we can search our access point or by locating the BSSID (basic service set identification) or the SSID (service set identifier).
• BSSID is the MAC address of the wireless access point (WAP) generated by combining the 24 bit Organization Unique Identifier and the manufacturer’s assigned 24-bit identifier for the radio chipset in the WAP.
• SSID is the name of a wireless local area network (WLAN).
As we can notice two new tree lines has been added on packet details pane. Both of them specifies the communication wireless protocol.
Another way to locate out access point is to use the airdump-ng tool.
wizard32@wizard32:~$ sudo airodump-ng mon0
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:8F:8E:4E:32 -30 21 0 0 1 54 WEP WEP wizard32
To capture data into a file using airodump-ng tool once more, we must specify some additional option to target a specific access point.
wizard32@wizard32:~$ sudo airodump-ng -c 1 -w ~/Desktop/W-packets --bssid 00:11:8F:8E:4E:32 mon0
At this time we can use two different ways to retrieve the password from our network. The first one is to use a tool named aircrack-ng in association with the .pcap packets that we captured using the aiodump-ng tool or using the .pcap file from Wireshark tool and performing a dictionary attack to a specific access point. Let’s analyze them.
Method: aircrack-ng
To recover the WEP key aircrack only requiring collection of enough data. So in terminal we type the following command to retrieve our WEP network key: Listing 2. As we can see aircrack decrypted and found correctly our WEP network key. So let’s analyze how we can retrieve it using this time dictionary attack method on .pcap Wireshark file (Listing 3).
-w: Identifies our wordlist file
Listing 2. Retrieving WEP network key
wizard32@wizard32:~$ sudo aircrack-ng ~/Desktop/W-packets-01*.cap
Opening /home/wizard32/Desktop/W-packets-01.cap
Read 61960 packets.
# BSSID ESSID Encryption
1 00:11:8F:8E:4E:32 wizard32 WEP (21124 IVs)
Choosing first network as target.
Opening /home/wizard32/Desktop/W-packets-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21124 ivs.
Aircrack-ng 1.1
00:00:02] Tested 7 keys (got 21124 IVs)
KB depth byte(vote)
0 0/ 1 4B(29696) E4(28160) 40(27648) C2(27392) D6(26368) 21(26112) 62(25344) A8(25344)
B3(25344) DB(25344) 2C(25088) 38(25088) A9(25088) 47(24832) C4(24832) CB(24832) CE(24832)
19(24320) 44(24320)
[...]
4 0/ 2 C4(29440) 12(28928) 78(28160) 87(27136) 60(26368) 84(26368) 93(25856) 00(25600)
4C(25600) BD(25344) C5(25344) 03(25088) 68(25088) 7B(25088) F4(25088) 02(24832) 1E(24832)
28(24832) 54(24832)
[...]
KEY FOUND! [ 4B:AB:FE:1C:02 ]
Decrypted correctly: 100%
Listing 3. Retrieving WEP network key using dictionary attack method
wizard32@wizard32:~$ sudo aircrack-ng -w ~/Desktop/mywordlist.txt -b 00:11:8F:8E:4E:32 ~/Desktop/
W-capture.pcap
Opening /home/wizard32/Desktop/W-capture.pcap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21096 ivs.
Aircrack-ng 1.1
[00:00:02] Tested 7 keys (got 21096 IVs)
KB depth byte(vote)
1 0/ 1 AB(34816) 32(27904) C6(27648) B0(26624) 12(26112) 16(25600) 28(25600) B1(25600)
CD(25344) F5(25344) 60(25088) D0(25088) E1(25088) D4(24832) 20(24576) 10(24320) 82(24320)
21(24064) 4A(24064)
[...]
2 2/ 3 FE(27648) 4A(26624) B9(25600) EB(25600) 0D(25344) 2A(25344) 3A(25344) 46(25088)
25(24832) 7B(24832) 8E(24832) 9A(24832) AF(24832) 01(24576) C1(24576) 5E(24320) 78(24320)
8F(24320) BD(24320)
[...]
KEY FOUND! [ 4B:AB:FE:1C:02 ]
Decrypted correctly: 100%
Note
Some of these tools (airmon-ng) might need to be installed unless if we are using a system which has
airmon-ng already installed, such as BackTrack/Kali or BackBox.
On both cases aircrack successfully recovered the WEP key. Now it’s time to apply our WEP key into
Wireshark tool to enable decryption in order to locate possible sensitive information. Navigate to Edit menu, then click on Preferences option and on Protocol tree line locate the IEEE 802.11 protocol. Next we mark Enable decryption checkbox and then we click the Edit button to add our WEP key.
The Moment of Truth (TMT)
We searching once more for possible http || dns protocols.
By reviewing the highlighted code closely on figure 2 we
can see multiple http request to a specific host. To eliminate even more results we will create a new filter which will specify only those packages from the specific Host. So we locate the GET request and we apply as filter the selected line. As previously we locate the line which contains the parameters (username/password). Notice that on packet
bytes pane the Frame tab and the Decrypted WEP data tab appearing.
Protect from Snooping
All the above examples shows how easy it is to obtain sensitive data from snooping on a connection. The best way to prevent this is to encrypt the data that’s being sent. The most known encryption methods are SSL (Secure Sockets Layer) and TLS (Transport Layer Security).
The Secure Socket Layer (SSL) and Transport Layer Security (TLS) are the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network. SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets, it runs on various Unix-like operating systems including Linux, OS X, BSD, and Solaris, and on Microsoft Windows.
You can download Wireshark for Windows or Mac OS X from the official website (http://www.wireshark. org/download.html). Most Linux systems have pre installed Wireshark tool. In the case that Wireshark is not installed you can just follow the bellow documentaiton and run the proper command for each operation system: Building and Installing Wireshark (http://www.wireshark.org/docs/wsug_html_chunked/ ChapterBuildInstall.html). Wireshark needs to be run as the root user in your system. After Wireshark run, will give you a message – warning that you are running it as root, and that it might be dangerous.
Capture Interfaces
We can get an overview of the available local interfaces by navigating on Capture menu tab and then clicking the Interfaces option as shown Figure 1. By clicking the Option button Wireshark pops up the “Capture Options” dialog box. The table shows the settings for all available interfaces including a lot of information for each one and some checkboxes like:
• Capture on all interfaces – As Wireshark can capture on multiple interfaces, it is possible to choose to capture on all available interfaces.
• Capture all packets in promiscuous mode – This checkbox allows you to specify that Wireshark should put all interfaces in promiscuous mode when capturing.
By clicking the Start button we will see a lot of packets start appearing in real time. Wireshark captures each packet sent from (Source) or to (Destination) our system.
User Interface
Before proceed to analyze our traffic network we will explain the basic information we need to know about the packet list pane, the color rules, the packet details pane and the packet bytes pane.
Packet List pane
The packet list pane displays all the packets in the current capture file. Each line in the packet list
corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed on Packet Details and Packet Bytes panes.
The default columns will show:
• No. – The number of the packet in the capture file. This number won’t change, even if a display filter is used.
• Time – The timestamp of the packet. The presentation format of this timestamp can be changed.
• Source – The address where this packet is coming from.
• Destination – The address where this packet is going to.
• Protocol – The protocol name in a short (perhaps abbreviated) version.
• Info – Additional information about the packet content.
Color Rules
A very useful mechanism available in Wireshark is packet colorization. There are two types of coloring rules in Wireshark; temporary ones that are only used until you quit the program, and permanent ones that will be saved to a preference file so that they are available on a next session. So let’s focus to most important name filters. Green Color refers to TCP packets but black identifies corrupted TCP packets. Light Blue refers to UDP packets and dark blue on DNS traffic. For more information or if we would like to edit/add our own color rules we can navigate to View menu and click the Coloring Rules.
Packet Details Pane
The packet details pane shows the current packet (selected in the “Packet List” pane) in a more detailed form. This pane shows the protocols and protocol fields of the packet selected in the “Packet List” pane. The protocols and fields of the packet are displayed using a tree, which can be expanded and collapsed.
Packet Bytes Pane
The packet bytes pane shows the data of the current packet in a hexdump style. The left side shows the offset in the packet data, in the middle the packet data is shown in a hexadecimal representation and on the right the corresponding ASCII characters are displayed.
Start Capturing – Analyzing
At this part we will start capturing once more our network, so click from Capture menu the Start option. Next we will attempt to login to an account and will analyze it into wireshark tool to see if we can find important information. As we can see there are lot of packets that Wireshark appears. A valuable options here is the Filter mechanism which lets us quickly edit and apply-display filters. Let’s isolate the http packets by typing http string on filter tab. As we can see the packet list pane shows only HTTP protocols. We need to locate the HTTP protocol and identify the response of the Host which attempted to login. Looking at the highlighted results, we can determine at info tab that there are packages which contain the GET method. Let’s focus at this information and explain it.
Note
GET method requests a representation of the specified resource. Requests using GET should only retrieve data and should have no other effect. At the packet list pane click the Hypertext Transfer Protocol, as we can see the GET method appears and also a lot of important information such as the request version of the Server, the Host and the User-Agent which contains the browser version and the OS that the user used to login. Next we want to examine the full conversation between the client and the server by accessing the Follow TCP Stream option (right click on the packet and then choose Follow TCP Stream). A pop-up window will appear which will contain the entire conversation on stream content. The red words indicates the request and the blue the response of the Host. Also as we can notice choosing the Follow TCP Stream option Wireshark automatically added the property filter in Filter area.
By reviewing the highlighted code closely on Figure 3 we can see that the index.php action has two
inputs, the username and the password. We can identify on Packet List pane a POST Request method
from our machine to the server using HTTP protocol. Selecting once more the Hypertext Transfer
Protocol tree we can verify the request and the method which used to login to the Host.
Note
POST method requests that the server accept the entity enclosed in the request as a new subordinate of the web resource identified by the URI. The data POSTed might be, as examples, an annotation for existing resources; a message for a bulletin board, newsgroup, mailing list, or comment thread; a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database.
As we can notice on packet details pane there is also a new tree line named Line-based text data: By clicking once it we can see the POST request which contains the username and the password in clear text. Also checking the packet bytes pane we can draw the same information on Hex or Bit View.
Cracking – Analyzing W-Network
At this part of article we will explain how we can have access to our WLAN network, how to retrieve the wireless password and finally how can use it to analyze the traffic packets into Wireshark.
First we will run the following command to get a list of our network interfaces:
wizard32@wizard32:~$ sudo airmon-ng
Interface Chipset Driver
wlan0 Unknown iwlwifi – [phy0]
As we can notice the only available interface is the wlan0 adapter. To capture network traffic without being associated with an access point, we need to set the wireless network adapter in monitor mode (Listing 1).
Listing 1. Setting wireless network adapter in monitor mode
wizard32@wizard32:~$ sudo airmon-ng start wlan0
Found 4 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
PID Name
1103 NetworkManager
1121 avahi-daemon
1125 avahi-daemon
1299 wpa_supplicant
Interface Chipset Driver
wlan0 Unknown iwlwifi – [phy0]
(monitor mode enabled on mon0)
Next run once more the Wireshark tool and navigate to Capture menu and click Interfaces option. As we mention before monitor mode enabled on mon0 so on wireshark pop-up window select the mon0 as capture interface and click start (Figure 5). After starting the capturing we locate multiple SSID access points. By typing HTTP or DNS on Filter menu, Wireshark doesn’t return any result. Looking on packet pist pane we can search our access point or by locating the BSSID (basic service set identification) or the SSID (service set identifier).
• BSSID is the MAC address of the wireless access point (WAP) generated by combining the 24 bit Organization Unique Identifier and the manufacturer’s assigned 24-bit identifier for the radio chipset in the WAP.
• SSID is the name of a wireless local area network (WLAN).
As we can notice two new tree lines has been added on packet details pane. Both of them specifies the communication wireless protocol.
Another way to locate out access point is to use the airdump-ng tool.
wizard32@wizard32:~$ sudo airodump-ng mon0
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:11:8F:8E:4E:32 -30 21 0 0 1 54 WEP WEP wizard32
To capture data into a file using airodump-ng tool once more, we must specify some additional option to target a specific access point.
wizard32@wizard32:~$ sudo airodump-ng -c 1 -w ~/Desktop/W-packets --bssid 00:11:8F:8E:4E:32 mon0
At this time we can use two different ways to retrieve the password from our network. The first one is to use a tool named aircrack-ng in association with the .pcap packets that we captured using the aiodump-ng tool or using the .pcap file from Wireshark tool and performing a dictionary attack to a specific access point. Let’s analyze them.
Method: aircrack-ng
To recover the WEP key aircrack only requiring collection of enough data. So in terminal we type the following command to retrieve our WEP network key: Listing 2. As we can see aircrack decrypted and found correctly our WEP network key. So let’s analyze how we can retrieve it using this time dictionary attack method on .pcap Wireshark file (Listing 3).
-w: Identifies our wordlist file
Listing 2. Retrieving WEP network key
wizard32@wizard32:~$ sudo aircrack-ng ~/Desktop/W-packets-01*.cap
Opening /home/wizard32/Desktop/W-packets-01.cap
Read 61960 packets.
# BSSID ESSID Encryption
1 00:11:8F:8E:4E:32 wizard32 WEP (21124 IVs)
Choosing first network as target.
Opening /home/wizard32/Desktop/W-packets-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21124 ivs.
Aircrack-ng 1.1
00:00:02] Tested 7 keys (got 21124 IVs)
KB depth byte(vote)
0 0/ 1 4B(29696) E4(28160) 40(27648) C2(27392) D6(26368) 21(26112) 62(25344) A8(25344)
B3(25344) DB(25344) 2C(25088) 38(25088) A9(25088) 47(24832) C4(24832) CB(24832) CE(24832)
19(24320) 44(24320)
[...]
4 0/ 2 C4(29440) 12(28928) 78(28160) 87(27136) 60(26368) 84(26368) 93(25856) 00(25600)
4C(25600) BD(25344) C5(25344) 03(25088) 68(25088) 7B(25088) F4(25088) 02(24832) 1E(24832)
28(24832) 54(24832)
[...]
KEY FOUND! [ 4B:AB:FE:1C:02 ]
Decrypted correctly: 100%
Listing 3. Retrieving WEP network key using dictionary attack method
wizard32@wizard32:~$ sudo aircrack-ng -w ~/Desktop/mywordlist.txt -b 00:11:8F:8E:4E:32 ~/Desktop/
W-capture.pcap
Opening /home/wizard32/Desktop/W-capture.pcap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21096 ivs.
Aircrack-ng 1.1
[00:00:02] Tested 7 keys (got 21096 IVs)
KB depth byte(vote)
1 0/ 1 AB(34816) 32(27904) C6(27648) B0(26624) 12(26112) 16(25600) 28(25600) B1(25600)
CD(25344) F5(25344) 60(25088) D0(25088) E1(25088) D4(24832) 20(24576) 10(24320) 82(24320)
21(24064) 4A(24064)
[...]
2 2/ 3 FE(27648) 4A(26624) B9(25600) EB(25600) 0D(25344) 2A(25344) 3A(25344) 46(25088)
25(24832) 7B(24832) 8E(24832) 9A(24832) AF(24832) 01(24576) C1(24576) 5E(24320) 78(24320)
8F(24320) BD(24320)
[...]
KEY FOUND! [ 4B:AB:FE:1C:02 ]
Decrypted correctly: 100%
Note
Some of these tools (airmon-ng) might need to be installed unless if we are using a system which has
airmon-ng already installed, such as BackTrack/Kali or BackBox.
On both cases aircrack successfully recovered the WEP key. Now it’s time to apply our WEP key into
Wireshark tool to enable decryption in order to locate possible sensitive information. Navigate to Edit menu, then click on Preferences option and on Protocol tree line locate the IEEE 802.11 protocol. Next we mark Enable decryption checkbox and then we click the Edit button to add our WEP key.
The Moment of Truth (TMT)
We searching once more for possible http || dns protocols.
By reviewing the highlighted code closely on figure 2 we
bytes pane the Frame tab and the Decrypted WEP data tab appearing.
Protect from Snooping
All the above examples shows how easy it is to obtain sensitive data from snooping on a connection. The best way to prevent this is to encrypt the data that’s being sent. The most known encryption methods are SSL (Secure Sockets Layer) and TLS (Transport Layer Security).
The Secure Socket Layer (SSL) and Transport Layer Security (TLS) are the most widely deployed security protocol used today. It is essentially a protocol that provides a secure channel between two machines operating over the Internet or an internal network. SSL Certificates have a key pair: a public and a private key. These keys work together to establish an encrypted connection. The certificate also contains what is called the “subject,” which is the identity of the certificate/website owner.