Wireshark has become a universal tool for network administrators and engineers to help diagnose network issues. However, Wireshark is also a powerful tool that can be used for both White Hat and Black Hat professionals. One of the elementary exercises is an attempt to capture plain-text information that passes through the wire. This attack steps a user through the process of capturing the plain-text log-in credentials of a user who access an un-encrypted WordPress site. This is a great tutorial to understand how to use Wireshark, and to learn how vulnerable some websites can be.
Wireshark Attack Process
The following sections cover each part of the attack. These are covered in chronological order as you read though this page. Use the following navigation to skip to specific sections, jump to the video tutorial, or review the commands only section.
- Setup IP forwarding
- Discover the network gateway IP
- Locate the target IP address
- Insert the Raspberry Pi as a MitM with ARPSpoof
- Recover Log-In Credentials Using Wireshark
IP forwarding tells the Linux system to send packets to their proper destination. This is needed before we attempt to issue ARP Cache Poising. This will ensure that packets will get sent to their proper destination after we have inserted ourselves as a MitM. In essence, after we grab the network packets from the target system we have to pass them to their destination or we just create a denial of service (DoS).
Step 1: Setup IP forwarding
root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward
Check to see ensure the command was executed correctly
root@kali:~# cat /proc/sys/net/ipv4/ip_forward
Find Default Gateway
Step 2: Discover your current default gateway
root@kali:~# netstat -nr
Locate Target IP
To execute an attack at a target we must firs know what IP address to target. One of the most popular network enumeration programs is Nmap. The free and open source program can scan networks using a multitude of methods. There are different ways to use Nmap, and some ways are more stealth than others. For the sake of this demonstration we are going to use the default settings of the program. Please note that this method may alert a Security Administrator of your presence, however, a full description and implementation of Nmap is out of the scope for this project. For more information on how to use the stealth features please visit the Nmap website.
The syntax for Nmap follows:
nmap -[arguments] [network to scan]
We are going to use the following two arguments: “R” for reverse DNS lookup, and “sn” to prevent port scanning. Using the above information about the network we can deduce that the attached network is a Class C, thus we limit our scan to the local network.
Step 3: Locate target IP address
root@kali:~# nmap -Rsn 192.168.2.0/24
The ceolaptop.bahansen.info that resolves to 192.168.2.88 is a prime target. Now having the target system and default gateway we can now execute our attack.
MitM with ARPSpoof
ARPSpoof will issue a repeat command to tell the local network that the Raspberry Pi is now the CEO’s laptop. The network will then send those packets to Kali Linux for us to intercept, the IP forwarding command in Step 1 will then pass those packet back and forth from the CEO’s laptop to their destination.
The syntax for ARPSpoof follows:
arpspoof -i interface -t target IP -r gateway IP
Step 4: Issue the ARP cache poisoning command using ARPSpoof
root@kali:~# arpspoof -i eth0 -t 192.168.2.88 -r 192.168.2.1
This command will occupy the current command window. Be sure to leave ARPSpoof running and open a new connection to the Raspberry Pi to issue the final command.
Running Wireshark Remotely
Linux is a very powerful operating system that will let you run XWindows programs remotely. This means we can access the Graphical User Interface (GUI) of Wireshark through our SSH session. The only additional requirement is to pass the ssh command the “-X” argument.
Step 5: Open a ssh session with X-Forwarding enabled
root@kali:~# ssh -X 192.168.11.15
Step 6: Launch Wireshark
Wireshark will launch and you will see the above options displayed. To verify that you are indeed running Wireshark from the Raspberry Pi click on the “Interface List” and verify that the IP address listed is the same as the network that was scanned above, and different from the laptop.
Step 7: Start capturing packets with Wireshark
- Select the check box next to the “eth0” interface, this is the built-in network card on the Raspberry Pi.
- Then click “Start” and wait until you feel confident you have captured enough data.
- Click the “Stop” button to stop capturing packets
Step 8: Filter the captured data based on the source IP address
Enter ip.src == 192.168.2.88 and http.request.full_uri contains login into the Filter box on Wireshark.
Step 9: Use Wireshark to view the raw data being sent between the target computer and the server.
- Select the packet that has the html “POST” for the log-in page
- Right-Click and select “Follow TCP Stream”
- Locate the Log-In Name and Password from the raw stream
The “%21” is URL encoding for the “!”, after decoding you get:
User Name: IA590
echo 1 > /proc/sys/net/ipv4/ip_forward netstat -nr nmap -Rsn 192.168.2.0/24 arpspoof -i eth0 -t 192.168.2.88 -r 192.168.2.1 ssh -X 192.168.11.15 wireshark