Data traversing an HTTP channel is prone to MITM attacks, as it flows in plain-text format. Network administrators can use sniffers to troubleshoot network problems, examine security problems and debug protocol implementations. However, an attacker can use the tools such as Wireshark and sniff the traffic flowing between the client and the server.
This traffic obtained by the attacker might contain sensitive information such as login credentials, which can be used to perform malicious activities such as user-session impersonation. As an ethical hacker, we will use Wireshark to sniff network traffic, annualize the packets and try to identify credentials of your system and web application account. Also identifying the OS used on the target host.
What is wireshark?
Wireshark is a protocol analyzer tool. It can capture live ongoing traffic on a network packet by packet with all its info retained to analyze it later. It shows in a great depth, the protocols used , which layer does the packet belong to , the data in hex and bit stream format , flag values , and every little detail about a single packet. This makes it a very helpful tool for network analyzers to work with and administrate the traffic in a network.
What is a MITM attack?
MITM or Man In The Middle attack is an attack in which when a sender A sends a packet to receiver B , there is an unwanted, untrusted third party C in the middle who receives all the packets and can monitor them. This third party can even modify or alter the messages which leads to loss in information confidentiality.
How can we capture credentials and other INFO?
Generally in a vulnerable web app, the protocol use is a simple HTTP (not HTTPS) or an HTTPS GET method. These protocols send data from one end to the other without applying any type of encryption or other methods to hide data in a simple plain text. Now all of this data is bound to exit from a choke point in a network. When an attacker monitors traffic of this choke point , and when he sniffs the packets , he can easily see all the relevant info via a network monitoring tool like wireshark.
We will now try to capture credentials using wireshark.
1) Capturing Passwords in insecure web apps using wireshark :
Note : For demonstration purpose , we can use any vulnerable web app
- Start wireshark , select appropriate network adapter (Wi-Fi) in our case
- Now click on the small shark icon at top left of the screen to start capturing the packets.
- Now open the web browser and visit any insecure site.
- Enter credential info to login.
- Now stop capturing the packets.
- Now in wireshark , go to edit->find packet
- Select packet type to packet details and type to string.
- Search for the phrase ‘pwd’ or ‘pass’ or ‘password’.
- Right click on the found packet and click follow ipv4 stream.
- You can now analyze and see the Username and Password you entered.
As seen in the above screenshot , the first line mentions the request method and the protocol used. It states that a POST method with an HTTP protocol was make to the server , which sent the credentials in a plain text instead in an encrypt format.
2) Capturing OS info and packet details while pinging :
We can also use wireshark to capture different packets having different protocols other than HTTP or HTTPS. For instance , we will now capture traffic generated via a “PING” command, while pinging PC A to PC B. The ping command uses the ICMP protocol.
- Start Kali linux vm.
- then, Start wireshark in kali linux.
- Start capturing the packets by selecting appropriate network adapter and by clicking the shark icon at the top left of the screen.
- Open terminal and type “ping ipaddress_of_windows_machine” to ping the windows machine from kali Linux.
- Now stop capturing the packets.
- Open a packet having protocol as ICMP(request). This is the request packet sent from kali linux to windows. Analyze the packet and lookout for header details and Time To Live (TTL). It should be 64 to ensure a linux machine.
- Do the above step to the ICMP(reply) packet. This is the reply packet from windows. Lookout and analyze for Time To Live value(TTL). It should be 128 to ensure that it is a windows machine.
Hence we have successfully verified the OS info from the packet details that were sent during the ping command.
Written By: Priyansh Gupta
Reviewed By: Sayan Chatterjee
If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs