Install and run Wireshark to capture traffic; Filtering captured POST traffic; Find the username and password using Wireshark; Determining the type of encoding.
Computers communicate using networks. These networks could be on a local area network LAN or exposed to the internet. Network Sniffers are programs that capture low-level package data that is transmitted over a network. An attacker can analyze this information to discover valuable information such as user ids and passwords.In this article, we will introduce you to common network sniffing techniques and tools used to sniff networks.
We will also look at countermeasures that you can put in place to protect sensitive information been transmitted over a network. Topics covered in this tutorial.What is network sniffing?Computers communicate by broadcasting messages on a network using IP addresses. Once a message has been sent on a network, the recipient computer with the matching IP address responds with its MAC address.Network sniffing is the process of intercepting data packets sent over a network.This can be done by the specialized software program or hardware equipment.
Sniffing can be used to;. Capture sensitive data such as login credentials. Eavesdrop on chat messages. Capture files have been transmitted over a networkThe following are protocols that are vulnerable to sniffing. Telnet.
Rlogin. HTTP. SMTP. NNTP. POP.
FTP. IMAPThe above protocols are vulnerable if login details are sent in plain text Passive and Active SniffingBefore we look at passive and active sniffing, let’s look at two major devices used to network computers; hubs and switches.A hub works by sending broadcast messages to all output ports on it except the one that has sent the broadcast. The recipient computer responds to the broadcast message if the IP address matches.
This means when using a hub, all the computers on a network can see the broadcast message. It operates at the physical layer (layer 1) of the OSI Model.The diagram below illustrates how the hub works.A switch works differently; it maps IP/MAC addresses to physical ports on it. Broadcast messages are sent to the physical ports that match the IP/MAC address configurations for the recipient computer.
This means broadcast messages are only seen by the recipient computer. Switches operate at the data link layer (layer 2) and network layer (layer 3).The diagram below illustrates how the switch works.Passive sniffing is intercepting packages transmitted over a network that uses a hub. It is called passive sniffing because it is difficult to detect.
Wireshark Android
It is also easy to perform as the hub sends broadcast messages to all the computers on the network.Active sniffing is intercepting packages transmitted over a network that uses a switch. There are two main methods used to sniff switch linked networks, ARP Poisoning, and MAC flooding. Hacking Activity: Sniff network trafficIn this practical scenario, we are going to use Wireshark to sniff data packets as they are transmitted over HTTP protocol.
For this example, we will sniff the network using Wireshark, then login to a web application that does not use secure communication. We will login to a web application on.
The login address is This email address is being protected from spambots. You need JavaScript enabled to view it., and the password is Password2010.Note: we will login to the web app for demonstration purposes only. The technique can also sniff data packets from other computers that are on the same network as the one that you are using to sniff. The sniffing is not only limited to techpanda.org, but also sniffs all HTTP and other protocols data packets. Sniffing the network using WiresharkThe illustration below shows you the steps that you will carry out to complete this exercise without confusionDownload Wireshark from this link. Open Wireshark.
Wireshark Github
You will get the following screen. Select the network interface you want to sniff. Note for this demonstration, we are using a wireless network connection. If you are on a local area network, then you should select the local area network interface. Click on start button as shown above. Open your web browser and type in.
The login email is This email address is being protected from spambots. You need JavaScript enabled to view it. And the password is Password2010. Click on submit button. A successful logon should give you the following dashboard. Go back to Wireshark and stop the live capture.
Filter for HTTP protocol results only using the filter textbox. Locate the Info column and look for entries with the HTTP verb POST and click on it. Just below the log entries, there is a panel with a summary of captured data.
Look for the summary that says Line-based text data: application/x-www-form-urlencoded. You should be able to view the plaintext values of all the POST variables submitted to the server via HTTP protocol.What is a MAC Flooding?MAC flooding is a network sniffing technique that floods the switch MAC table with fake MAC addresses. This leads to overloading the switch memory and makes it act as a hub. Once the switch has been compromised, it sends the broadcast messages to all computers on a network. This makes it possible to sniff data packets as they sent on the network.
Counter Measures against MAC flooding. Some switches have the port security feature. This feature can be used to limit the number of MAC addresses on the ports.
Interception of passwords with WiresharkMany users do not even realize that by filling in the login and password when registering or authorizing on a closed Internet resource and pressing ENTER, this data can easily be intercepted. Very often they are transmitted over the network in a non-secure manner. Therefore, if the site on which you are trying to log in uses the HTTP protocol, it is very easy to capture this traffic, analyze it using Wireshark and then use special filters and programs to find and decode the password.
Traffic capture has begun.Filtering captured POST trafficWe open the browser and try to log in to any resource using the login and password. Upon completion of the authorization process and the opening of the site, we stop capturing traffic in Wireshark. Next, open the protocol analyzer and see a large number of packets. It is at this stage that most IT professionals give up, because they do not know what to do next.
But we know and we are interested in specific packages that contain POST data that is generated on our local machine when the form is filled on the screen and sent to the remote server when you click the 'Login' or 'Authorization' button in the browser.Enter in the window a special filter to display captured packets: http. Method “ POST”And we see instead of a thousand packages, only one with the data we are looking for. After that, a new window will display the text, which in the code restores the contents of the page.
Find the fields “password” and “user”, which correspond to the password and user name.