Wireshark

Wireshark is one of the most popular and powerful network analysis software tools in
the world. It provides the capability to monitor and analyze network traffic deeply.
Here's a brief introduction to Wireshark:
1. Main Purpose:
Wireshark is used to analyze real-time network traffic and also to examine previously recorded
traffic. It helps network administrators, security engineers, and application developers
troubleshoot network issues, diagnose disruptions, and secure networks.

2. Key Features:
• Capture Capabilities: Wireshark can capture traffic from various types of
network interfaces including Ethernet, Wi-Fi, Bluetooth, and more.
• Rich Protocol Support: It supports a wide range of network protocols including
TCP, UDP, HTTP, HTTPS, DNS, SNMP, and many more.
• Powerful Filtering: Wireshark has powerful filters, allowing users to extract
specific traffic relevant for analysis.
• Decryption Support: It can decrypt encrypted traffic such as HTTPS and
SSH, provided users have the appropriate keys.
• Packet Analysis: Displays comprehensive information about each captured packet,
including headers and data payload.
3. User Interface:

• Packet List Pane: Displays the list of captured packets.

• Packet Details Pane: Shows detailed information about the selected packet.
• Packet Bytes Pane: Displays a hexadecimal representation of the packet data.
• Filter Toolbar: Allows users to apply filters to display relevant packets.
• Statistics Pane: Provides statistics about network traffic, including graphs and
summaries.
4. Platform Support:

• Wireshark is available for various platforms including Windows, macOS, and Linux.

5. Common Uses:
• Diagnosing network issues such as connection disruptions or slow performance.
• Analyzing network security, such as detecting attacks or identifying
security vulnerabilities.
• Development and debugging of network applications.
• Monitoring network traffic for auditing or compliance purposes.
Example of using Wireshark:

1. Sniffing FTP credentials using wireshark

FTP(File transfer protocol) transfer files between computers

connected in a network, such as the internet. FTP is commonly used to upload or
download files from an FTP server to a client computer, or vice versa.
FTP is Vulnerable to Man-in-the-Middle Attacks: Because FTP does not
provide encryption,
it is vulnerable to Man-in-the-Middle (MITM) attacks, where an attacker can eavesdrop
on or manipulate data traffic between the client and FTP server.
Victim accesses FTP and enters credentials.

Attackers can view traffic in Wireshark by filtering TCP port 21.

Then right-click on the TCP packet, follow TCP stream, and the information will be displayed.

2. How to get Website Login Credentials using Wireshark

HTTP (Hypertext Transfer Protocol) is a communication protocol used to transfer data on the
World Wide Web (WWW). HTTP is the fundamental protocol used to send and receive
information between clients (such as web browsers) and web servers. As a text-based
application protocol, HTTP governs how data is transferred and interpreted. Typically,
HTTP
is used to fetch web pages but can also be used to transfer various types of data, including
images, videos, and other files.
Despite undergoing various version improvements, including HTTP/1.0, HTTP/1.1, and the
latest HTTP/2, the protocol still has some vulnerabilities that can be exploited by
attackers. Some common vulnerabilities in HTTP include: Man-in-the-Middle (MITM)
Attacks: Attackers
can exploit this vulnerability by attempting to
position themselves between the client and server to monitor or modify the communication that
occurs between them.

a) The attacker sets up a Fake Wi-Fi network so that the victim will use that Wi-
Fi for browsing.
 b) After the victim connects to the Wi-Fi and starts browsing, if the victim enters
login credentials, the attacker can see the data being sent.
In this scenario, the victim logs in to a website and enters their username and password.

Then the attacker can open Wireshark and select the appropriate interface for analysis.
Since the login is done using the "POST" method, they can apply filtering to dis
play only POST requests. After the filtered POST requests appear, the attacker can right-
click and choose "Follow" -> "HTTP Stream" to analyze the HTTP stream for further
information.
Then it will display the following section, where the username and password entered by
the victim are visible. Once obtained, the attacker can use these credentials.
 3. Analyzing Hydra Brute Force using Wireshark

Hydra is one of the most well-known and powerful penetration testing tools used to
conduct brute force attacks. A brute force attack is a method where an attacker tries
all possible combinations of passwords to gain unauthorized access to a system.
Running brute force using Hydra.

When analyzed with Wireshark, numerous POST method traffic packets associated with
brute force attacks are visible.
 4. Detecting SQL Injection with Wireshark

SQL injection is a type of attack used to exploit web applications that utilize SQL (Structured
Query Language) to process data. In a SQL injection attack, the attacker inserts malicious
SQL code into input received by the web application, which is then executed by the
database. The attacker inputs SQLi payload.

Analysis in Wireshark and filter by the GET method, select packets containing SQL
injection payloads, as seen below where the attacker inputs the SQLi payload.
 5. Analysis of Nmap Scanning using Wireshark
Nmap (Network Mapper) is one of the most popular and powerful network scanning
tools used to discover hosts and services within a computer network. It allows users to
conduct network scans to determine which hosts are active, what services are running on
those hosts, as well as additional information about the hosts and services.
Several flags commonly used in conjunction with Nmap are:

1. -sS (TCP SYN scan): This is the most common type of scan. Nmap sends a SYN packet
to the target port and waits for a response. If the response is SYN/ACK, it means
the port is open. If the response is RST, it means the port is closed. If there is no
response, it may indicate the port is filtered.
2. -sT (TCP Connect scan): This scan actively connects to the target port. If the
connection is successful, it means the port is open. However, this scan is more
easily detected by firewalls and network logging.

3. -sU (UDP scan): This scan is used to discover open UDP services on the target host.
UDP is a connectionless protocol, so UDP scanning is more complex and slower than
TCP.
4. -sV (Service version detection): This flag allows Nmap to attempt to
determine the version of the service running on the discovered ports. It is
useful for identifying the running software version, which can help in
determining potential vulnerabilities.