Posted on Leave a comment

Packet Sniffing : Part 1

Hello, aspiring Ethical hackers. In this article, you will learn about basics of packet sniffing. You should have observed that almost all the websites you have visited recently have a padlock sign and begin with HTTPS. Google started giving minor ranking boost to websites with HTTPS enabled since year 2014.There is a good security reason behind this. In this first article on Sniffing our readers will learn and understand about basic concepts about Sniffing and why plaintext protocols are considered bad from security perspective.

Plain text protocols are those protocols in which confidential information like usernames and passwords are passed to the server in complete plain text. This allows anyone in middle to sniff on these usernames and passwords. This attack is known as sniffing attack or Man in The Middle (MITM) attack or Janus attack.

 In ancient Roman mythology, Janus is a God who presided over both beginning and end. In a packet sniffing attack, as an attacker is in middle and can see the data going between server and client, this attack is also known as Janus attack. You are going to see how sniffing works on plaintext protocols in this article. In our present Issue, we will demonstrate the basic level of sniffing on plaintext protocols. For this, we will be using three virtual machines which are on the same network.

They are  Metasploitable 2 which acts as server, Ubuntu which acts as client and of course Kali as our Attacker system.  As you can see, the IP addresses of the three machines are

     Metasploitable2 – 192.168.64.128 (Server)

     Ubuntu – 192.168.64.132 (Client)

     Kali – 192.168.64.132 (Attacker system)

Let’s start Wireshark on the attacker machine (on interface eth0). It starts capturing packets on the network.

The reason why we are using Metasploitable 2 as our target is that it already has many services that we need for this tutorial preinstalled.  The first service we will be using is Telnet. It is a protocol that is used for remote access on another system. On most Linux systems, Telnet clients are installed by default.

So we Open a terminal and log into the Metasploitable 2 Telnet server with the credentials shown below.

The login is successful. Now on the Attacker system, we can observe the traffic being captured by the Wireshark sniffer. You can see data related to Telnet being transferred.

We can Right Click on that Telnet data stream and click on “Follow” as shown below.

In the sub menu that opens when we click on the only option “TCP stream” a new window opens that will show only the TCP stream.

In this window, you can see the credentials we just used to login into the target system. Telnet is a plain text protocol which transfers credentials and other sensitive data in plain text. This allows sniffing of data. That’s the reason it has been mostly replaced by Secure Shell (SSH) nowadays.   

Let’s see another protocol. File Transfer Protocol (FTP) is a protocol that is used to share files. It is another protocol that transfers data in plain text. From our client, we login into the FTP server with credentials “anonymous:anonymous”.

Anonymous account in FTP is used to share files to anyone without the need for them to know credentials.

On the Wireshark interface, you can see FTP data being transferred.

We can view the TCP stream

This once again shows credentials.

Instead of observing LIVE data transfer and following TCP stream from there, we can also just save the packet capture file and open the file later for analysis.

After opening the file, we can search for specific terms as shown below. 

Then following the TCP stream gives us the credentials.

Seeing the vulnerability due to sniffing, many protocols have been replaced with secure protocols which transfer data in encrypted form instead of plain text form. We will learn more about sniffing in our next Part.