Shark on a wire

One of my favorite game trailers starts with something like this: “Once upon a time Aztecs believed that the gods did not just gave life to the people, but it had to be stolen. Prometheus stole the eternal flame, and Alberich stole the ring”.

I’m not implying anything, but the story is as old as the world itself and we’ll talk about stealing today. We’re going to steal some network traffic. And, of course, it’s not stealing it’s intercepting =)

wire_01

Interception of traffic does not often fall into the sphere of interest of the cyber security specialist, but I believe it is not very well deserved for a number of reasons that we will discuss today. Our main tool today will be Wireshark – a free traffic interceptor and  analyzer. It has been in existence since 1999 and has become a standard in its field.

The installation should not cause any problems, and if you use any specialized distribution like Kali, there is a great chance that it is already installed and configured.

So, what do we do? To start, we can just turn on traffic interception and see what’s going on in our network:

wire_02

It’s not bad. We see how Wireshark collected the network packets and disassembled them. We can already start analyzing, but in real life it is almost impossible because of the amount of data collected. Fortunately Wireshark built-in filtering system will rule out unnecessary traffic if we are looking for something specific. For example, you can select only HTTP-Traffic, or traffic from a certain IP, or for example to see all the DNS Traffic:

wire_03

Even better. But let’s say you’re not sure what you’re looking for. Wireshark can highlight some things with a certain color:

wire_04

Everything is very flexible and customizable. OK, let’s see some examples.

Let’s say our client, of course, heard that we need to use encryption everywhere. However, the stories about intercepted traffic seemed to be something remote as if not even about him. Therefore, the security policy does not reflect the requirement to use only secure channels for remote access to resources. Well, let’s intercept some traffic:

wire_05

So what? Some packets, what’s the problem? Using the Follow Stream we can assemble a user’s session in a quite readable form. How does it look now?

wire_06

Login and password are sent in the open text, because FTP protocol works this way. Now it’s much easier to explain why it is necessary to encrypt channels and invest in information security infrastructure.

Or here is another example, an intercepted e-mail session with SMTP:

wire_07

Great, look, the connection established and now we can see some strange characters, our login and password are encrypted. Of course, they are not! They are just encoded in base64 and it’s not a big deal to turn them into a readable form:

wire_08

Here’s another one:

wire_09

Well, obviously someone is trying to guess a password to FTP, but IPS either not installed or not configured.

I found these examples on the Internet. In real life, everything is usually more complicated and even with all Wireshark features the analysis of collected traffic can take much more time.

And here is the second reason why it is worth paying attention to the interception of traffic. On the Internet you can find a sample of almost any protocol with detailed parsing. The educational potential of this is difficult to overestimate. For example, you heard something about the process DORA when you receive an address DHCP? It’s cool, here it is:

wire_10

Preparing for CCNA and the routing protocol information does not look clear? No problem, that’s how RIP works:

wire_11

or, for example, OSPF:

wire_12

You can find out in detail how authentication protocols work and never go back to thinking about what is transmitted in the open and what is encrypted.

In real life scenarios all the traffic should be analyzed by software. But as cyber security professional you have to know what is going on behind this software and be ready to see things by yourself.

One thought on “Shark on a wire”

  1. by the way, Wireshark can decrypt traffic if you have session key. If you’ve cracked long-term keys from ipsec and PFS isn’t enabled – you welcome! =) can be useful for pentest

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s