Category: MiTM

All articles on Man In The Middle Attack and Sniffing attacks.

Posted on by Leave a comment

Beginners guide to Wireshark

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail what is packet sniffing, types of sniffing, what are sniffers and types of sniffers? In this article, you will learn about Wireshark, the most popular sniffer used in cybersecurity.

What is Wireshark?

Wireshark is an open-source network packet analyzer that is used for network trouble shooting, network analysis etc. It runs on Linux, macOS, BSD, Solaris and even on Windows. It is installed by default in pen testing distros like Kali Linux and we are going to use the same for this tutorial. On Kali Linux, Wireshark sniffer can be started using the command “wireshark” in the terminal as shown below.

This will open the Wireshark GUI window as shown below.

In the newly opened Wireshark windows, all the network adapters attached to the system (in our case, virtual machine) on which Wireshark is running has are displayed. Select the network interface on which you want to capture packets (ours is eth0) and click on “Start capturing packets”.

Wireshark will start capturing live packets of the network. Here, it is time to learn about the interface of Wireshark. The interface of Wireshark can be divided into 5 primary parts. They are,

1. Menu bar: Common to all GUI applications and doesn’t need explanation.

2. The Main toolbar: The main toolbar consists of items for the operation of Wireshark. For example, like starting capture, stopping capture, restarting capture, saving capture to a file etc.

3. The Filter toolbar: The Filter toolbar is used to apply display filters for the captured packets. More about it later.

4. The “Packet List” name: This pane displays all the packets captured by Wireshark. These are separated by each line. By default, the “packet list” name consist of seven columns. They are,

  • Number: The number of the packet in the capture file.
  • Time: Time of capture of the packet.
  • Source: The source from where the packet originated.
  • Destination: The destination address where the packet went.
  • Protocol: The protocol information about the captured packet: ex: ARP, ICMP etc.
  • Length: Length of the captured packet.
  • Information: Additional information about the packet.

5. The “Packet details’ pane: This pane shows the current packet in a more detailed form.

6. The “Packet Bytes” pane: This name shows all the details of the selected packet in style.

By now, you are accustomed to the interface of Wireshark. Let’s move forward. In the “packet list” pane, you can see all the packets. You can select each packet to see information about it. You can right click on each packet, to open a new menu too. For example, you can follow TCP stream of each packets. Well, there is a packet belonging to Telnet protocol going from 192.168.40.169 IP to 192.168.40.162. Following its TCP stream can be interesting. But you will learn about this in password sniffing.

The important concept beginners should learn about Wireshark is the Wireshark filters. If you see the Wireshark packet capture, it will be overwhelming if not confusing. Wireshark filters allow us to bring some clarity to the captured traffic. Filters can be applied to Wireshark from the “Filter” toolbar. Wireshark has some mostly used filters which can be viewed as shown below.

Let’s learn about some common filters useful to beginners. In the filter column, add this filter.

ip.addr==192.168.40.168
ip.addr==192.168.40.168

The default syntax of Wireshark filter is “ip.addr = = value”. For example, if you want to view the traffic of a particular IP address, this filter is used. Let’s say we want to view traffic of only the system whose IP address is “192.168.40.168”.

Let’s make it better. You want to view all the traffic originating from IP address 192.168.40.168 then the below filter will help.

ip.src == 192.168.40.169

Similarly, we can use “ip.dst = = 192.168.40.169” filter to see all the packets coming to machine with IP address 192.168.40.169. We can also combine two filters using ampersand (&&). For example, you want to view the packets originating from IP 192.168.49.169 and coming to IP 192.168.40. 168.using the filter below.

ip.src==192.168.40.169 && ip.dst==192.168.40.168

You can view even traffic belonging to a specific port in the entire network. For example, let’s view the traffic belonging to TCP port 21. “tcp.port == 21“ using filter as shown below.

tcp.port==21

Those are some helpful filters for beginners. At any time, you can stop the capture from the “stop capture” option of Wireshark as shown below.

You can also save the captured packets in a file. By default, Wireshark saves the captured data in the pcap format.

Ignore the warnings (-w)

By default, while scanning, it avoids going into any directories that are listable. This makes common sense too. It displays the message saying “directories are testable”. If you want it to scan inside such directories, you can use this option (-w).

We can once again open this pcap file using Wireshark again for analysis later. Learn how to use ettercap.

Posted on by

Password sniffing tutorial for beginners

Hello, aspiring Ethical hackers. In this article, you will learn about password sniffing. You should have observed that almost all the websites you have visited recently have a padlock sign and begin with HTTPS now. Google started giving minor ranking boost to websites with HTTPS enabled since year 2014. As you will learn by the end of the blogpost, there is a good security reason behind this.

What is Password sniffing?

Password sniffing or Credential sniffing is sniffing or capturing of credentials (or any other data) while they are in transit from one machine to another machine (usually from client to server). Password sniffing is only possible when plain text protocols are in use. Plain text protocols are those protocols in which confidential information like usernames and passwords are passed to the server in complete plain text and without any encryption.

This allows anyone in middle to sniff on these usernames and passwords. Examples of plain text or clear text protocols are FTP, Telnet, SMTP, HTTP, IMAP, POP3, TFTP etc. Let’s see password sniffing practically. In this article, we will demonstrate the basic level of password sniffing on plaintext protocols. For this, we will be using three virtual machines which are on the same network.

They are Metasploitable 2 which acts as server, Ubuntu which acts as client and of course Kali as our Attacker system. As you can see, the IP addresses of the three machines are

Metasploitable2 – 192.168.64.128 (Server)

Ubuntu – 192.168.64.132 (Client)

Kali – 192.168.64.132 (Attacker system)

Let’s start Wireshark on the attacker machine (on interface eth0). It starts capturing packets on the network.

The reason why we are using Metasploitable 2 as our target is that it already has many services that we need for this tutorial preinstalled. The first service we will be using is Telnet. It is a protocol that is used for remote access on another system. On most Linux systems, Telnet clients are installed by default.

So we open a terminal and log into the Metasploitable 2 Telnet server with the credentials shown below.

The login is successful. Now on the Attacker system, we can observe the traffic being captured by the Wireshark sniffer. You can see data related to Telnet being transferred.

We can Right Click on that Telnet data stream and click on “Follow” as shown below.

In the sub menu that opens when we click on the only option “TCP stream” a new window opens that will show only the TCP stream.

In this window, you can see the credentials we just used to login into the target system. Telnet is a plain text protocol which transfers credentials and other sensitive data in plain text. This allows sniffing of data. That’s the reason it has been mostly replaced by Secure Shell (SSH) nowadays.

Let’s see another protocol. File Transfer Protocol (FTP) is a protocol that is used to share files. It is another protocol that transfers data in plain text. From our client, we login into the FTP server with credentials “anonymous:anonymous”.

Anonymous account in FTP is used to share files to anyone without the need for them to know credentials.

On the Wireshark interface, you can see FTP data being transferred.

We can view the TCP stream

This once again shows credentials.

Instead of observing LIVE data transfer and following TCP stream from there, we can also just save the packet capture file and open the file later for analysis.

After opening the file, we can search for specific terms as shown below.

packet sniffing

Then following the TCP stream gives us the credentials.

Seeing the vulnerability due to sniffing, many protocols have been replaced with secure protocols which transfer data in encrypted form instead of plain text form. These are given below.

Posted on by

MiTM Attack: Sniffing Images In a Network

Hello aspiring ethical hackers. In this article you will learn how to sniff images in a network using MiTM attack. In our previous article, readers have learnt how plaintext credentials passing through the network can easily be captured by attackers using Wireshark.

In this article, readers will learn about a different type of sniffing. i.e capturing images being transmitted through the network. As good as Wireshark is, it cannot be used to sniff images being sent through the network.

For this tutorial, we will be needing any program that requires images to be transferred in a network. For this purpose, we will use Netop Vision Pro Classroom Management Software (https://www.codework-systems.com/products/netop/netop-vision-pro/). As its name implies, this is a classroom management software used for distance learning. It has two modules: the Teacher module and Student module. The Teacher module is installed on one system and the student module is installed on all the student systems. The computer running the Teacher module has complete control over the computer running the student module and the student has no or very small limited role. The Teacher can view the Desktop of the Student’s Desktop to make sure the student is on track.

Remember the sniffing lab we used in one of our previous article. In the same Sniffing Lab, we will add three systems: two Windows 7 systems with Netop Vision Student Module installed on one system and Netop Vision Teacher Module installed on another Windows 7 system. The third system is Kali Linux which is the attacker system and used for sniffing images. Let’s setup the Lab first. Download the Netop Vision Pro software onto the first Windows 7 system and click on it. Select the “Run Installer” and click on “Next”.

Click on “I Accept The Terms in the license agreement” and click on “Next”.

Select the Vision Student Module and click on Next.

Select the option as a Windows Startup Service and click on Install.

Check the IP address of this system and restart it.

Here’s the Student’s Windows system. There is some program running on it.

Now, in the second Windows 7 system, install the Teacher module of Netop Vision.

When it prompts for the license key, click on “Next”.

Click OK to restart the computer.

After the computer (on which Netop Vision’s Teacher Module) reboots, open the Netop Vision application. This should open the class room manager window automatically. If that did not happen, open it from the File menu. Create a new classroom. Click on “New”.

Click on “Next”.

Add the student system. Click on “Add” and add the IP address of the student system as shown below. Then click on “translate addresses”. You will get the IP address translated to the name of the computer. Click “OK”.

Click “Next”.

Click on “Finish” to finish the installation.

We have set up a new classroom. From the classroom manager, open the new classroom you just created.

We can see the Desktops of connected Student computers. Since we have connected only one student computer, only one system is shown.

The target is ready. On the Kali Linux system, install the Driftnet tool as shown below.

mitm attack

Check the name of the network interface.

Now all we have to do is to start the driftnet tool on that interface.

A small window will open as shown below.

When you maximize the window, you can see the live capture of the images of the Student’s Desktop. These images of the student computer are being captured by the teacher module. As already said, the feature is available in Netop Vision classroom management software to monitor student computers. These images are captured at regular short intervals and transmitted in real time to the Teacher computer.

But how are these images being sniffed by Driftnet? Just like in the case of plain text protocols, these images are being transmitted in the network without any encryption. Hence, driftnet has been able to capture them by sniffing on the network.

Posted on by

Beginners guide to Packet sniffing

Hello, aspiring Ethical Hackers. In this blogpost, you will learn about packet sniffing. Data doesn’t get hacked when it is sitting on a computer or a hard disk. It also gets hacked when it is in transit between one system and another system over internet. For example, in 2008, the Heartland Payment Systems which is one of the world’s largest credit card payment processors was hacked by two Russian hackers. After gaining access, they placed sniffers within the Heartland system. Using these sniffers, they collected 130 million credit card credentials.

What is Packet Sniffing?

Packet sniffing is an act or method of monitoring, gathering or collecting data or information while it is in transit from one system to another system (usually from client to server). Since data or information is transferred over internet in the form of small network packets, it is known as Packet sniffing.

Types of Sniffing

Sniffing can be classified into two types. They are Passive sniffing and Active sniffing.

1. Passive Sniffing:

In this type of sniffing, we just observe or monitor the traffic going around the network. There is no need of injection of any additional traffic into the network. To do this, we should be able to view the traffic belonging to all the devices in the network. This is only possible when all the devices in the network are connected through a Network hub. In a network connected by a hub, all the devices can see the traffic sent to all other devices on the network.

2. Active Sniffing:

In this type of sniffing, additional traffic has to be injected into the network to begin sniffing. This type of sniffing is performed in network connected by a switch.

What is a Sniffer?

Packet sniffing can be performed using either software or hardware. The software or appliance used to perform sniffing is known as a sniffer.

Examples of software sniffers include Wireshark, Tcpdump, Windump, Ettercap, dsniff, Kismet, Driftnet and Network miner etc.

Examples of Sniffing attacks

1. Password Sniffing:

This is the simplest form of sniffing attack as in this type of sniffing, sniffers just collect the data in transit silently. Although, sniffers are looking to sniff on credentials. any data that is not encrypted before being transmitted between two devices can be sniffed on. For example, protocols like FTP, Telnet and HTTP etc. transmit all data including credentials in clear text. Learn more about password sniffing attack here.

2. DNS Cache Poisoning:

Also known as DNS poisoning or DNS spoofing, this attack involves poisoning the cache of a DNS server. A Domain Name Server (DNS) resolves host names to the IP addresses and vice versa. So, if a DNS cache is poisoned with malicious entries, any user trying to visit a genuine website may be redirected to a fake malicious website.

3. MAC Flooding:

In this type of sniffing attack, attacker sends a large amount of traffic to the network switch to fill the MAC address table using fake MAC addresses. When the MAC address table is full, the network switch behaves like a hub.

4. MAC Spoofing:

Also known as ARP spoofing or ARP poisoning, in this attack, the attacker tries to spoof the MAC address of another device like a switch. This results in all the devices on the networks thinking that attacker-controlled computer is the switch and start sending traffic to it.

5. TCP Session Hijacking:

In this sniffing technique, also known as Session Hijacking, attacker steals the user’s session ID and impersonates as that user.

6. JavaScript Card Sniffing:

In this type of sniffing attack, hackers take control of a website and make changes to the javascript by adding malicious lines of code to it. These changes are done to collect any valuable information, like credentials, credit card numbers and other information.

7. DHCP attacks:

In this attack, DHCP server is flooded by the attacker with fake DHCP requests to use all the allocated IP addresses for that network.