ABSTRACT
It is known that Wireshark is a powerful tool
that goes far beyond a simple sniffer. What many do not know is that there are
several ways to harness the potential of this tool, readers, this article will
introduce. Let us learn to sniff the network effectively, create filters to
find only the information we want, see it as a black hat would use this tool to
steal passwords and finally, how to use Wireshark to diagnose network problems
or if a firewall is blocking packets correctly.
INTRODUCTION
Your
password is hard to be broken? Has many characters and you trade with a certain
regularity and one day you're surprised to receive allegations of invasion.
Evidence indicates that the invasions third party accounts departed from your
account and you have no idea what is happening. That is, someone may have made
use of your account and performed such acts as you. How could this have
happened? A strong possibility is that you have been the victim of an attack of
"sniffer".
UNDESTAND THE MAIN CONCEPT
What are
Sniffers? Well... Are very useful software, so great is the use of them, even
the IDS systems are made based sniffers. A sniffer is a program that can
capture all traffic passing in a segment of a network.
Programs that
allow you to monitor network activity recording names (username and password)
each time they access other computers on the network.
These programs
are monitoring ("sniffing") network traffic to capture access to
network services, such as remote mail service (IMAP, POP), remote access (telnet,
rlogin, etc.), file transfer (FTP) etc.. Accesses made, captured packets.
Always aiming to get identification for access the user's account.
When we called the HUB computer and send information from
one computer to another, in reality these data are for all ports of the HUB,
and therefore for all machines. It turns out that only the machine on which the
information was intended to send the operating system.
If a sniffer was running on other computers, even without
these systems send the information travels there for the operating system, the
sniffer will intercede at the network layer, data capturing and displaying them
to the user, unfriendly way. Generally the data are organized by type of protocol
(TCP, UDP, FTP, ICMP, etc...) and each package shown may have read your
content.
YOUR PASSWORD CAN BE CAPTURED BY SNIFFERS
Many local area networks (LANs) are configured sharing
the same Ethernet segment. Virtually any computer of the network can run a
"sniffer" program to "steal" users passwords.
"Sniffers" work monitoring the flow of communication between
computers on the network to find out when someone uses the network services
previously mentioned. Each of these services uses a protocol that defines how a
session is established, such as your account is identified and authenticated
and how to use the service.
To have access to these services, you first have to have
a "log in". Is the login sequence - the part of these authentication
protocols, which occurs at the beginning of each session - the
"sniffers" are concerned, because it is this part that is your
password. Therefore, it is the only filter "strings" keys that the
password is obtained.
STEP BY STEP
Currently, almost all environments using switches and not
hubs, which makes sniffing a little more difficult because the switches do not
send the data to all ports as a hub does, it sends directly to the port where
the host destination, so if you try to sniff a network switch you will only
hear what is broadcast, or its own connection. To be able to hear everything
without being the gateway of the network, an ARP spoof attack is necessary, or
burst the CAM table of the switch.
Basic Usage
Now let's put our hands dirty: I'm assuming you already
have the program installed, if you do not download. When starting Wireshark,
the displayed screen will look something like Figure 1:
Figure
1) Wireshark.
Before you can start capturing packets, we have to define
which interface will "listen" to the traffic. Click Capture
> Interfaces
Figure
2) Interfaces.
From there, a new window will appear with the list of
automatically detected interfaces, simply select the desired interface by
clicking the box next to the name of the interface, as in figure 3:
Figure
3) Capture Interfaces.
If you click Start, it will begin automatically captures.
You can only select the interface and only then start the capture if necessary.
When the capture process starts, you will see several
packets traversing the screen Wireshark (varying according to the traffic of
your machine / network). Will look something like the figure 4:
Figure
4) Capturing.
To stop the capture, simply click the button, "Stop
the running live capture".
Figure
5) Stop.
It is important to remember that you must take care if
your network is busy, the data stream may even lock your machine, then it is
not advisable to leave the Wireshark capture for a long time, as we will see,
we will leave it running only during the process debug a connection. The
greater the amount of packets, the longer it takes to apply a filter, find a
package, etc.
With this we have the basics of the program, we can set
the capture interface, start and stop the capture. The next step is to identify
what interests among many packages. For this, we will start using filters.
Using Filters
There is a plethora of possible filters, but at this
moment we will see just how to filter by IP address, port and protocol.
The filters can be constructed by clicking on "Filter", then selecting the
desired filter (there is a short list of pre-defined filters), or by typing
directly into the text box. After you create your filter, just click "Apply", if you wanted to see the
entire list of packages again just click "Clear", this will remove the filter previously applied.
Figure 6) Filter.
I will use a small filter list as an example:
Figure
7) Example by Rafael Souza (RHA Infosec).
It is also possible to group the filters, for
example:
ip.src
== 10.10.10.1 && tcp.dstport==80 OR ip.src == 10.10.10.1 and
tcp.dstport==80
Source
address 10.10.10.1
And
destination port 80
CAPTURING PASSWORDS
Now
we will see how you can capture passwords easily, just by listening to traffic.
For this example we will use the POP3 protocol, which sends the data in clear
text over the network. To do this, start capturing packets normally and start a
session with your server pop3 email. If you use a safer as imaps or pop3s and I
just wanted to see the functioning of the mechanism, protocol is possible to
connect via telnet pop3 without having to add / modify your account, simply run
the following:
telnet serveremail.com 110
user user@rhainfosec.com
pass rhainfosecpasswd
Now
stop the capture, filter and put "pop"
and then click "Apply".
That done, you see only the packets of pop3 connection. Now click on any of
them right, and then click "Follow
TCP Stream".
Figure
8) POP3.
With this he will open a new window with the entire
contents of the ASCII connection. As the pop3 protocol sends everything in
plain text, you can see all the commands executed, including the password.
Figure
9) Pass.
This can be transported to any connection in plain text,
such as ftp, telnet, http, etc.. Just to let you change the filter and examine
the contents of the connection.
Importing External Captures
Usually in servers, there is no graphical environment
installed and with that you cannot use Wireshark directly. If you want to
analyze traffic on this server and you cannot install Wireshark, or if you do
not have to capture this traffic elsewhere, the best one can do is write
traffic with tcpdump locally and then copy this dump to a machine with
Wireshark for a more detailed analysis is made.
We will capture everything that comes or goes to the host
10.10.10.1 with destination port 80 and save content in capturerafaelsouzarhainfosec.pcap file
from the local folder where the command was executed. Run the server:
tcpdump -i eth0 host 10.10.10.1 and dst port 80 -w capturerafaelsouzarhainfosec.pcap
Once you're finished capturing, simply use CTRL + C to copy the file to the machine Wireshark capture and import by clicking on File -> Import. Once imported, you can use the program normally as if the capture had occurred locally.
EVOLUTION OF THINKING
Why
steal your password?
There are various reasons that lead people to steal
passwords from simply to annoy someone (sending email as you) up to perform
illegal activities (invasion on other computers, theft of information, etc.) An
attractive to crackers is the ability to use the identity of others in these
activities.
One of the main reasons that attackers try to break
systems and install "sniffers" is able to quickly capture the maximum
possible accounts. Thus, the more accounts this attacker has , the easier it is
to hide your stash.
How can
you protect yourself?
Do not be thinking that "sniffers" can make all
the insecure Internet. Not so. You need to be aware of where the risk is , when
you're at risk and what to do to be safe .
When you have your stolen credit card or suspect that someone
may be using it improperly, you cancel the card and asks another. Likewise, as
passwords can be stolen, it's critical that you replace regularly. This
precaution limited the amount of time that a stolen password can be used by an
attacker.
Never share your password with others. This sharing makes
it difficult to know where your password is being used (exposed) and is harder
to detect unauthorized use.
Never give your password to anyone claiming access your
account needs to fix some problem or want to investigate a breach of the
system. This trick is one of the most effective methods of hacking, known as
"social engineering."
Use
networks you can trust
Another aspect you should take into consideration is what
network you can trust and which cannot. If you're traveling and need to access
their computers remotely organization. For example, pick any file in your home
directory and you have available is a "LanHouse" or network of
another organization . Are you sure you can trust the network?
If you have no alternative for secure remote access and
only have available resources such as telnet, for example, you can
"mitigate" this effect by changing the password at the end of each
session. Remember that only the first packet (200-300 bytes)of each session carry
information from your "login". Therefore, to always change your
password before logging out, this will not be captured and password before it
was exposed to the network is no longer valid. Of course it is possible to
capture everything going across the network, but has no intention of attacking
fill the file system quickly and so easily discovered.
Why
networks remain vulnerable to "sniffers" long?
There are several reasons and there is no quick solution
to the problem.
Part of the problem is that companies tend to invest in
more new features than add security. New security features can leave the most
difficult systems to configure and less convenient to use.
Another part of the problem is related to added costs for
Ethernet switches, hubs, network interfaces that do not support the particular
"promiscuous" that sniffers can use.
CONCLUSION
The question that remains is how can we protect ourselves
from this threat...
ü
Network cards that cannot be put into
"promiscuous" mode. Thus, computers cannot be mastered and
transformed into "sniffers".
ü
Typically, the Ethernet interface only passes
packets to the highest level protocol that are intended for local machine. This
interface into promiscuous mode allows all packets are accepted and passed to
the higher layer of the protocol stack. This allows the selection you want.
ü
Packages that encrypt data in transit over
the network, thus avoiding to flow passwords "in the clear".
I would remind you that the safest is to adopt and
encourage the use of software which enable remote access encrypted sessions,
help much to make your environment more secure.
One fairly common encryption technology currently in
secure communication between remote machines SSH (Secure Shell). SSH is
available for different platforms. Its use does not prevent the password
captured, but as this is not encrypted serve to the attacker. SSH negotiates
connections using RSA algorithm. Once the service is authenticated, all
subsequent traffic is encrypted using IDEA technology. This type of encryption
is very strong.
In the future, security will increasingly intrinsic to
the systems and infrastructure networks. No use having all the
"apparatus" of security you need, but do not use them. Security is
not something that can be completely secure. Remember, no one is 100% secure.