Lab04-Evaluate Incidents Using Wireshark & NetworkMiner
Lab04-Evaluate Incidents Using Wireshark & NetworkMiner
HyperText Transfer Protocol (HTTP) is an application layer protocol that presents data via a web
browser. With HTTP, there is no safeguard for the exchanged data between two communicating
devices.
With HTTPS, encryption is used via a mathematical algorithm. This algorithm hides the true
meaning of the data that is being exchanged. This is done through the use of certificates.
Regardless of HTTP or HTTPS, it is only recommended to exchange data with websites that you
trust. Just because a site uses HTTPS does not mean it is a trustworthy site. Threat actors
commonly use HTTPS to hide their activities.
In this task, you will explore and capture HTTP and HTTPS traffic using Wireshark.
Required Resources
• Security Onion VM
• Internet access
Task 1: Capture and view HTTP traffic
1. In this part, you will use tcpdump command to capture the content of HTTP traffic. You will
use command options to save the traffic to a packet capture (pcap) file. These records can then
be analyzed using different applications that read pcap files, including Wireshark.
2. Start the Security Onion VM. Username: hct Password: Letmein
3. Open a terminal and start tcpdump.
a. Open a terminal application and enter the command ifconfig.
b. List the interfaces and their respective IP addresses displayed in the ifconfig output:
c. Create a new directory name Lab04 in the hct home’s directory, and then change the
current directory to Lab04 directory.
d. Start tcpdump and record network traffic on the eth0 interface by:
sudo tcpdump –i eth0 –s 0 –w httpdumpLab04.pcap
This command starts tcpdump and records network traffic on the eth0 interface.
• -i allows you to specify the interface. If not specified, the tcpdump will
capture all traffic on all interfaces.
• -s specifies the length of the snapshot for each packet (0-65535).
• -w used to write the result of the tcpdump command to a file.
e. Open the Chromium web browser within the Security Onion.
f. Navigate to http://testphp.vulnweb.com/login.php
6. Browse through the different HTTP messages and select the POST message.
7. In the lower window, the message is displayed. Expand the Line-based text data
application/x-www-form-urllencoded.