Wireshark and Recognizing Exploits, HakTip 138

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this episode of hack tip is brought to you by Citrix goto assist the number one global market leader in remote support welcome to hack tip the show where we break down Concepts tools and techniques for hackers gurus and it ninjas I'm shanon morison today we are checking out wi shark with an exploitation attack now working on the shoulders of last week's episode this week we'll discuss what exploits look like in wire shark now there are plenty to cover and I'm just going to do two so just stick with me and then you can find other examples on the internets so the example that I'm going to be sharing is from the Practical packet analysis book by Chris Sanders about well wi shark so this packet is going to show you what happens when a user visits a really malicious site that's using a bad version of Internet Explorer now this malicious problem was called Aurora it was back from I believe 2010 now what it's doing is called spear fishing first we have HTTP traffic on Port 80 so that looks pretty normal if we go all the way up to the top so first off if we go all the way to the top of the stream to packet number one we see a whole bunch of traffic going over HTTP Port 80 looks totally normal right now we notice that there is a 302 moved response right down here so that's packet number six that's kind of weird doesn't really happen every day it might be something that we need to look at so that could be a malicious site in the location is all sorts of weird if we scroll down a little bit now if we look at this we'll notice that the location right here that's where you're going to see something strange so if that looks odd that might be a red flag now there is a whole bunch of data that gets transferred from the new site to the user after this if I click on follow TCP stream and I can just do that by clicking here I noticed that there's going to be whole bunch of information up at the top it looks decently normal and then we scroll down and we see this thing in a script command so it's a bunch of gibberish that looks pretty odd it doesn't make a lot of sense and then if we scroll down all the way to the bottom we see that there's an ey frame attack going on here so what in the world is this iframe thing that's going to be a red flag as well in this case it's the exploit being sent to the user now I'm going to close this and I'm going to scroll down a little bit after I erase that to packet number 21 and we notice that we're receiving another get request so this time if I scroll all the way to the side it's for a gif or a gif depending on who you are so it's a get request for some kind of image now lastly if we follow packet 25 which looks like so I'm going to follow the TCP stream for this then we really get a red flag so when we open up this we see that there's a Windows command shell and the attacker is gaining admin privileges to our users files like there's a password.txt in here which is pretty kind of scary okay that's freaky but now a network admin could use this intrusion detection system to set up a new alarm whenever an attack of this nature is actually seen on their Network so it's really really useful to find out what this stuff looks like in wire shark so you can actually set up some kind of you know cut off point so they won't be able to get into your network now I'm going to be right back with some more exploits and fun with wire shark with goto assist remote support you can provide live and unattended support to any computer or mobile device you can screen share with employees to diagnose and fix their support problems faster and more effectively and you can use goto assist apps to deliver support anytime anywhere from your Android your iPhone or your iPad device now with the new seeit feature people can stream their smartphone's camera to go to assist so you can even see whether something's wrong with the hardware sign up today for a 30-day free trial no contract no credit card needed visit goto assist.com and click on the try it free button right now and if you purchase a goto assist annual Plan before March 31st you'll get a free Samsung Galaxy Tab for as well that's go to assist.com and we would like to thank them for their support of Pac tip we're back with more exploits and wire shark now if someone is trying to do a man-in-the-middle attack on a user it might look something like this so it looks pretty normal right but as we scroll down in here we noticed that there's also something else interesting Happening Here we noticed that there is these three different cases where this hulet Packer this HP device just kind of shows up out of nowhere that's kind of weird so normally when this happens it's going to be an AR cash poisoning attack it's art packets being sent back and forth but in packet 5 six the attacker sends another art packet with a different Mac address from the router thereby sending the user's data to the attacker and then the router so hence man in the-middle attack if we compare number 57 packet number 57 with the destination IP of being 147 the Mac ID shows up as huet Packers so this HP computer but if we look at an earlier one that's supposed to be sent to the router like number 40 it's also being sent to IP 147 but the MAC address is for the Cisco router huh obviously an AR cash poisoning attack now I want to know if you guys have ever seen any kind of attacks on your system and how you really were able to notice that it was there in wi shark let me know what you think and of course your comments below or email us tips hack.org and be sure to check out our sister show hack five for more great stuff just like this I'll be there reminding you to trust your techno [Music] t

Info

Channel: Hak5

Views: 83,071

Rating: undefined out of 5

Keywords: hak5, haktip, shannon morse, Snubs, Wireshark, exploit, phishing, Packet, iframe, admin, man in the middle, mitm

Id: 7iguG7va4l8

Channel Id: undefined

Length: 6min 6sec (366 seconds)

Published: Thu Mar 12 2015