One of my favorite game trailers starts with something like this: “Once upon a time Aztecs believed that the gods did not just gave life to the people, but it had to be stolen. Prometheus stole the eternal flame, and Alberich stole the ring”.
I’m not implying anything, but the story is as old as the world itself and we’ll talk about stealing today. We’re going to steal some network traffic. And, of course, it’s not stealing it’s intercepting =)
Interception of traffic does not often fall into the sphere of interest of the cyber security specialist, but I believe it is not very well deserved for a number of reasons that we will discuss today. Our main tool today will be Wireshark – a free traffic interceptor and analyzer. It has been in existence since 1999 and has become a standard in its field.
The installation should not cause any problems, and if you use any specialized distribution like Kali, there is a great chance that it is already installed and configured.
So, what do we do? To start, we can just turn on traffic interception and see what’s going on in our network:
It’s not bad. We see how Wireshark collected the network packets and disassembled them. We can already start analyzing, but in real life it is almost impossible because of the amount of data collected. Fortunately Wireshark built-in filtering system will rule out unnecessary traffic if we are looking for something specific. For example, you can select only HTTP-Traffic, or traffic from a certain IP, or for example to see all the DNS Traffic:
Even better. But let’s say you’re not sure what you’re looking for. Wireshark can highlight some things with a certain color:
Everything is very flexible and customizable. OK, let’s see some examples.
Let’s say our client, of course, heard that we need to use encryption everywhere. However, the stories about intercepted traffic seemed to be something remote as if not even about him. Therefore, the security policy does not reflect the requirement to use only secure channels for remote access to resources. Well, let’s intercept some traffic:
So what? Some packets, what’s the problem? Using the Follow Stream we can assemble a user’s session in a quite readable form. How does it look now?
Login and password are sent in the open text, because FTP protocol works this way. Now it’s much easier to explain why it is necessary to encrypt channels and invest in information security infrastructure.
Or here is another example, an intercepted e-mail session with SMTP:
Great, look, the connection established and now we can see some strange characters, our login and password are encrypted. Of course, they are not! They are just encoded in base64 and it’s not a big deal to turn them into a readable form:
Here’s another one:
Well, obviously someone is trying to guess a password to FTP, but IPS either not installed or not configured.
I found these examples on the Internet. In real life, everything is usually more complicated and even with all Wireshark features the analysis of collected traffic can take much more time.
And here is the second reason why it is worth paying attention to the interception of traffic. On the Internet you can find a sample of almost any protocol with detailed parsing. The educational potential of this is difficult to overestimate. For example, you heard something about the process DORA when you receive an address DHCP? It’s cool, here it is:
Preparing for CCNA and the routing protocol information does not look clear? No problem, that’s how RIP works:
or, for example, OSPF:
You can find out in detail how authentication protocols work and never go back to thinking about what is transmitted in the open and what is encrypted.
In real life scenarios all the traffic should be analyzed by software. But as cyber security professional you have to know what is going on behind this software and be ready to see things by yourself.