Wire Shark

Network 4 pillars
Addresses

Protocols

Network Type
•Base(TCP, UDP)
•Service

Service Type
•Skada (Struxnet Happened
on this)
•Volatile (Infrared network)
 TCP
for sending data Packets

Three Flags used for connection(SYN,ACK+SYN, ACK)

 UDP
for sending voice Packets
 Wireshark
An open source network scanner and monitoring tool.
Monitor traffic and even individual packet captured from
a network interface.
Usage
• Network administrator use it to isolate and
troubleshoot their network
• Use by attackers by usernames, passwords, email and
search history
** It is a network analysis tool formerly known as
Ethereal, captures packets in real time and display them
in human-readable format.
 Color Predictions
 Light Blue – Information Packet
 Dark Grey - Information Packet
 Red- Dropped pkt or terminate connection pkt
using RST, FIN, PSH
 Dark Blue-Dropped pkt or terminate connection
pkt using RST, FIN, PSH
 Green- Data Packets (username, password,
images,otp…)
 Yellow- Data Packets (username, password,
images,otp…)
 Wireshark parameters

No Serial Number
Time Micro/ Milli Second
Source IP or MAC of sender who is organizing the packet
Destination IP or MAC of sender who is receiving the packet

Protocol In Bytes, packets with more that 512 has to be focused

Length
Info Window size, if TCP details /UDP details

Note:: If i open google which port is running on own machine? 80 or 443??

 Filters
Http- Mostly green color

OCSP – Google Packet

FTP - Packets download

Voip - If voice packets

TCP - tcp.port==445(fro smb), ==80(http), ==443(https)

UDP – udp.port == 443(these are not showing websites--- use dns filter

Dns&&(tcp.port == 53 || udp.port == 53) – all dns opened will be shown

IP.address=192.168.10.1

Ip.src == 192.178.12.32 or ip.dst ==192.165.14.3

Tcp contains testphp.vulnweb.com

http.request == POST

Http.request == GET
Other information

Standard
Query-
0x95d1- means SYN
checksum flag

Query
Response –
means SYN+
ACK Flag
 To Check Malicious Packets
To find malicious packet, check and find RST in info. If no RST, that
means not getting any drop packet. That’s a good signal.

Check packet where message is being sent from my computer to

some other place. Check TCP details in below panel, it shows source
and destination port.
Suppose it is showing multiple RST,that means my computer is
blocking the packet and saying stop talking to me then there is high
possibility that someone is scanning
If a request is coming to multiple ports of our system then it can be
a network scan to find out any ports that are open.
Data Capturing using Wireshark
Go to web browser, open some image

Then come back to wireshark

You will see an get line and then a HTTP line next

Get line shows your request. This should be the HTTP GET message that was sent from your computer(ex. PC1)
to the PC2 HTTP server.

And next http line shows response from web server

Select it, you will see a JPEG or PNG key depending on which type of image you have opened

Select that key and right click. Select option Export Selected Packet Bytes
 Packet Sniffer
To monitor the data transmitted over a network packet sniffers are used.

It is used both by administrators for diagnostic or troubleshooting purposes and also by

hackers to steal data transmitted over the network.
It is a program that can see all traffic flowing over the network back and forth. Obviously,
placement of packet sniffer in an environment is crucial.

Packet sniffing applicable to both wired and wireless networks.

Packet capturing helps to diagnose and investigate network problems like congestion

Helps to filter network traffic

Discovering network misuse, vulnerability, malware, etc.

How to find people’s IP address using wireshark and tell
them you know where they live?

In the filter bar, type UDP

After that you are set to troll people

Open omegle.com

Start chat by typing hey

Type ”wanna bet I can find where you live”

Start a new capture

Open ipaddress.com/search/

Here type the destination address by finding it from wireshark (2.88.12.41) and press lookup

It will provide you the destination country for e.g. “Saudi arabia”, Administrative contact and other details
 Why Cookies are important?

An HTTP cookie (also called web cookie, Internet cookie,

browser cookie or simply cookie) is a small piece of data sent
from a website and stored in the user's web browser while the
user is browsing.
Cookies were designed to be a reliable mechanism for websites
to remember items added in the shopping cart in an online store
or recording which pages were visited in the past.
They can also be used to remember arbitrary pieces of
information that the user previously entered into form fields
such as names, addresses, passwords, and credit card numbers.
 Types
Session cookie
• A session cookie exists only in
temporary memory while the
user navigates the website.
• Web browsers normally delete
session cookies when the user
closes the browser.
• Session cookies do not have an
expiration date assigned to
them, which is how the browser
knows to treat them as session
cookies.
Persistent cookie
• A persistent cookie expires at a
specific date or after a specific
length of time. For this reason,
persistent cookies are
sometimes referred to as
tracking cookies because they
can be used by advertisers to
record information about a
user's web browsing habits over
an extended period of time.
• They are also used for
"legitimate" reasons (such as
keeping users logged into their
accounts on websites, to avoid
re-entering login credentials at
every visit).
• These cookies are however reset
if the expiration time is reached
or the user manually deletes the
cookie.
 Capturing cookies and displaying
passwords

Apply
In below
Open a enter HTTP as
panel,
Start http username Stop filter and
HTTP will
wireshark website on and wireshark locate a
show you
browser password POST
the cookie
packet
 Uses
• Session management
Cookies were originally introduced to provide a way for users to record items they want to
purchase as they navigate throughout a website (a virtual "shopping cart" or "shopping basket").
Today, however, the contents of a user's shopping cart are usually stored in a database on the
server, rather than in a cookie on the client. To keep track of which user is assigned to which
shopping cart, the server sends a cookie to the client that contains a unique session identifier
(typically, a long string of random letters and numbers). Because cookies are sent to the server
with every request the client makes, that session identifier will be sent back to the server every
time the user visits a new page on the website, which lets the server know which shopping cart
to display to the user.
Another popular use of cookies is for logging into websites. When the user visits a website's login
page, the web server typically sends the client a cookie containing a unique session identifier.
When the user successfully logs in, the server remembers that that particular session identifier
has been authenticated, and grants the user access to its services.
• Personalization
Cookies can be used to remember information about the user in order to show relevant content
to that user over time. For example, a web server might send a cookie containing the username
last used to log in to a website so that it may be filled in automatically the next time the user logs
in.
Sites like amazon.com seem to "know who I am."
How do they do this? How does a client uniquely
identify itself to a server, and how does the
server provide specific content to each client?
How Cookies are sent
 Session
Session: an abstract concept to represent a series of HTTP
requests and responses between a specific Web browser
and server
• sessions vs. cookies:
• a cookie is data stored on the client
• a session's data is stored on the server (only 1 session
per client)
• sessions are often built on top of cookies: the only data
the client stores is a cookie holding a unique session ID
.on each page request, the client sends its session ID
cookie, and the server uses this to find and retrieve the
client's session data
 How session established

client's browser makes an initial request to the server

server notes client's IP address/browser, stores some local
session data, and sends a session ID back to client

client sends that same session ID back to server on future
requests

 server uses session ID to retrieve the data for the client's

session later, like a ticket given at a coat-check room