Wireshark Basics for Wi-Fi Hacking

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to another episode of hacking with friends today we're going to go over something really cool which is wire shark hacking for absolute idiot gremlin babies and my name is cody kinsey today we have our absolute idiot gremlin baby here michael and we're going to be starting out using wireshark from the perspective of a beginner and see what it's useful for as well as actually going and doing a little bit of wi-fi hacking with it and seeing what it can really do michael are you excited i'm so excited to be a baby griffin let's not do that voice ever okay so um michael how much do you know about wireshark um basically it's a program that captures like packets as they're going across the network and then you can potentially use it like if you had like a handshake and all the encryption stuff you could like decrypt packets and analyze them and like look at like oh this this uh target device is going to like this uh this website you could potentially like steal passwords depending on whether or not it's using like https how would you explain wireshark to your grandma um it's a wiretap yeah hey that's pretty good all right so yeah so wireshark is basically internet like a wiretap only we're looking at ethernet connections as well as wireless connections so this also applies to other types of signals you can look at bluetooth signals and other sorts of interesting stuff in wireshark yeah it's really really modular i've seen people looking at like communications from satellites do you have to have like special hardware for that like an sdr and like uh uber2 think of it this way wireshark is a way of interpreting tons of different protocols that are used for wireless communication so whatever you need to gather that wireless communication that's the hardware that you need and once you bring it into wireshark then there you go so my laptop computer has a wireless network adapter that's compatible with kali linux as well as this other i'm using today a panda wireless network adapter which is the ones we used to use before alpha wireless sent us a big goodie bag of compatible ones which in my opinion are a little bit higher quality but panda wireless stuff works pretty well because the chipsets that it's based on are really well supported by kali linux so if you're looking to get started with wi-fi hacking stuff and if you don't have this thinkpad that has a compatible uh wireless network adapter then you can always just grab a really cheap wireless network adapter to go along with it and we recommend alpha wireless but if you want to check out panda wireless they're pretty good as well and when you say compatible what you're talking about is supporting monitor mode correct yes so um what i mean by that is not every wireless network adapter has the capability of going into monitor mode we're looking for ones that have the correct chipset to interface with the driver that's supported in kali linux and at the end of that we get the ability to put this into a mode where it listens to everything not just what is being broadcast for the specific device on the specific network now the average wireless network adapter is created to be able to allow a one-on-one conversation between you and the router but other network adapters are able to be put into this special mode that allows them to listen to everything so if you're stuck with a wireless network adapter that doesn't support this then you are basically stuck only listening to traffic that is meant for you or at least on the same network yeah yeah monster mode is pretty powerful so like that's how you capture the handshakes and everything right and well that's how you capture all the packets and the handshakes are just one example of a useful packet that we can capture but today we're going to go way beyond that and we're going to start taking a look at what happens when we're spying on a wireless network from the outside and then we're going to show how versatile wireshark is by actually trying to break into the wireless network uh and try to see what's going on inside of it so we would hopefully be able to see maybe some passwords something like that um so this is like the post exploitation like this is okay i've gotten a password now what exactly can i do with all that well we're going to start even further back so we're going to start from the perspective start from the perspective that we don't have a password to this network and we're going to try to actually break into the network and then start using wireshark to start observing packets so we're going to start on the outside we're going to grab try to use another program to break the password to the network get in and then we'll put that password into wireshark and hopefully be able to decrypt communications that are happening between other devices on the network so that's pretty advanced but we're basically peeling back a layer of security and directly monitoring as though we were on an open wi-fi network and we were able to see everything in plain text no you say this is pretty advanced like what skills or or what requirements do i need to meet to like be able to perform an attack like this not i mean you need wireshark and compatible wireless network adapter and maybe 15 minutes of time okay yeah so maybe not that advanced yeah so um when i say advanced this is a fairly advanced use of wireshark it's usually used as kind of a one-off tool when you're investigating something some people live and breathe wireshark and it is truly incredible when you really take it to its fullest level but for people that are just casually using this this might be a little bit above and beyond what they've done with it before so hopefully i'll be able to go over some useful ways that you can get into wireshark see what's going on and actually make some use of what's there um wireshark i when i talk about you know wireless reconnaissance and stuff and signals intelligence we get into things like kismet and wiggle wi-fi and some of the other offshoots that provide different windows into the wireless environment around you but i think that um really for inclusiveness and the ability to drill down into data wireshark is by far the most advanced tool and i really advise that anybody who has the time and opportunity to learn it take a look at it and just yeah i've been able to do my own research with it the output format is able to be put into things like jupiter notebook to do analysis so a lot of the things i've recorded in wireshark later go on later go on into projects in jupyter notebook to enrich the data and basically pull information out so it's a really powerful research tool and it's also a great hacking tool which is what we're gonna explore yeah i was gonna say i think i've even played around with it for like the api reversing kind of stuff that we've done previous live streams on because you can when you're analyzing those packets see like what uh requests are going back and forth and that can help reveal like what's under the hood for an app or something like that yeah and a really good beginner exercise is basically proxying yourself or basically sitting in the middle of your traffic and just looking at everything that's going through if you're able to make it so that you're sniffing communications um some of this also like can be amplified by techniques on the network like doing some arp spoofing and then going through the traffic once you're doing that so all traffic is flowing through you so arp spoofing is when you're emulating the router right right so if we really wanted to get in the absolute middle of this network what we would do is we would get in and then we would start arp spoofing and telling everything on the network that we are the router and they have to send the traffic to us when in fact we are basically receiving the traffic editing it maybe or at least observing it and then sending it on to its destination so it's a sneaky way of sitting in between the router and everybody else is trying to communicate on the network and using that trusted position to peel back some of the um some of the communication that's going on and what about like ssl and other forms of encryption like that is there any way to like uh bypass like those encryption schemes or like you can try to downgrade it um which is a valid way of attempting to to you know get around ssl but ssl generally makes things a lot harder uh although my advice is just you know if you can redirect someone based on dns queries you can see where people are querying um via dns so that means that you can see where they're going if not exactly what they're doing so that gives the opportunity for you to just you know redirect them to a phishing site of this that looks like the same thing and you can even throw up a quick ssl certificate for that website so if they're not paying attention they'll have no way of being able to tell that they're on a fake version of that website okay and now with dns though like you're only really seeing the website you're not seeing the exact page on that website that they're going to right right we're seeing where they're going but not the contents of their communication so it's more like metadata but it gives us enough for us to target them so that we know the next time they request that website for example we could serve up a fake version and just redirect um where dns says that website is located that sounds pretty nifty yeah it's really cool so let's go ahead and get started so as i said you'll need a kali linux compatible wireless network adapter or at least one that you know can be put into monitor mode um it's really useful if it's kali linux supported and there's lots of resources out there for you to find the right chipsets generally the way this works is there's a chipset inside uh that basically um determines the way it's gonna interact with anything you plug it into so if you have a good chipset that's well supported and able to be put into monitor mode uh the individual model of this wireless network adapter generally doesn't matter too much provided that it has a good chipset inside of it so we've done a separate live stream which i don't think is on our youtube but it is on our periscope and yeah that's one of the first things you can crash the kali linux computer by testing out a bunch of random wireless network adapters from the internet so if you want to see us trying out a bunch of these for their compatibility uh yeah the results were surprising in fact one of them i think is an exploit in and of itself just by how quickly it's able to crash computers so all right let's go ahead and switch to actually michael let's switch to your computer get off of my google there we go all right so here we have michael renning wireshark and michael do you have any idea what's going on right now um yes there's a long stream of information of which i barely understand half of it like i i kind of like i know this is like like the wi-fi and land like protocol like the way it like but i don't really know what that affects um ssid is like the network name um length i'm assuming it's just like how how big the packet is um yeah source i think entirely i just saw google starbucks we are nowhere near as i know that trick we're nowhere near a starbucks don't don't do that um otherwise okay so what do we know what's going on so i looking at the screen i'm getting all sorts of information because i understand what's going on and i can see that on the info part which is on the the right side you can see it tells you about what type of packet it is so i can see oh weird there's oh so a probe is like when it's like hey is this network around yep so there's a device around here that's um probing for google starbucks i think uh and then there's one second i wonder i wonder whose it is uh and then there's also a bunch of different um networks that are nearby that are advertising lots of different beacons per second even saying hey i'm here i'm available to connect to and didn't you actually do some research previously on how you could like identify uh people's devices by um spamming those fake like beacons yes so we did that in another one of our live streams we actually used wireshark to record uh the unmasking of nearby devices by creating a ton of fake networks that appeared to be really common open networks and recording which ones nearby devices were attempting to connect to because they automatically recognized them having connected to them before so that was another really interesting use now here i'm going to take the mouse um if we go up to tools and and wireless we can see debbie land traffic and we get a lot of information about our wireless and about our wireless environment here we can see if we organize stuff by um we can do it by ssid um we can see the number of packets we've received so overwhelmingly the packets are from this network percentage of retries the number of beacons total which we and then the number of data packets so we can see this is by far the most active network someone is on it um and to me as a hacker i'm like oh data packets that means someone is using this network currently i can see probe requests i can see oh so i can see if i want to see the number of probe requests i can see somebody is probing relentlessly for google starbucks that's okay i know when it says uh right uh right under here uh broadcast does that mean like that is a hidden network no so on the left you see that mac address that's uh that's broadcast so if you're sending a message on like over wi-fi to just all f's that's sending it to everybody that's a broadcast message okay gotcha so what's the purpose of that so a broadcast message is basically a way that a um it's a way that nearby devices will address anybody in range so that's basically saying hey is anybody in range um have does anybody in range have a wi-fi network respond here and that way they are hoping to get back a directed request and say hey i'm here here are my capabilities and they can connect yeah and and is that where this would come in the like a broadcast but with a specific mac address yeah yeah so if uh on the in this case it looks like um two different devices we're sending um packets to just broadcast which is you know anything just uh all f's and uh yeah they sent a packet and then there was another retry it looks like it never made it there uh but you can yeah so you can see basic information about the mac addresses that sent it again this could even be the same device if it's changing its mac address this just gives us the perspective to know okay what is it calling for and here we can see that there's some device calling for a micro python network um and that also it looks like it it's probably changing its mac address or so either there's a bunch of different oh in fact it's probably my phone um so there's a micro python network that i have to connect to in order to do micro python stuff so since i've connected to this in the past it looks like my phone is repeatedly sending out uh probe requests uh in order yeah you can see yeah oh no probe responses so that means that um something is responding as this network nearby so basically uh yeah that's an indication that something's calling out for this network and then it's being responded to cool yeah um so one thing that you might notice though if you were to dive into this a little deeper is that everything is on the same channel and there's a reason for this so we can click on any of these packets that we're interested in and we can scroll up we can scroll down um here's the thing that like lets us pin to the bottom so we can always see when things are being updated but if i wanted to check out uh let's see just a beacon frame here i can double click it i can see the entire thing i can expand it um i can see that in the tag parameters that's where it says by spectrum wi-fi i can expand that further but if i go into the details from the 8211 radio information i can see everything is on channel one and i can verify this by right oops no down here i can go to the same area here right mouse click on the channel um apply as filter select it oh no sorry apply as column and now i can see that everything is on channel one so why is it on because aren't there uh like 12 to 14 channels for wi-fi yeah 2.4 yes there are so all right so this is a lot of information we basically got this running everything's on the same channel we can see data we're but we're on the outside of the network so we're basically just taking a look at nearby networks assessing what's going on between devices and networks seeing who's connected to who all this is really useful information for a hacker but we're also restricted a little bit because we're only able to listen on one channel and that's because wireshark doesn't really have the ability to manipulate the wireless network adapter it's not really what it's for so instead we're using another program in this case arrow dump ng to change the channel of the adapter we can tell it to either go to every channel and skip around so we get a little sample of everything in the immediate area or we can set it on a specific channel like we have it now to just listen there oh and so is that like why um i forget the guy that made it but like the wi-fi cactus where they have like multiple uh adapters so that they can basically never have to skip around so you have just enough to be able to listen on every channel i believe the next year they tried to do every five gigahertz channel as well and the device was very hot yeah i hear it i got like terabytes of data in like minutes yeah that's it's crazy i don't know where they saved it all yeah okay so let's go ahead and switch over to my screen and i'm going to take this wireless network adapter and plug it in and we're going to start from scratch um [Music] hopefully if we can see it well if are you plugged in yeah oh wait wrong button wrong button yeah that's your screen yeah oh no wait is that my screen no that's your screen bro oh wait wait there we go yes all right sorry okay i couldn't tell the difference between three and one for a second okay so we're gonna go to our terminal window i'll make this a bit larger and i'm gonna type ifconfig and i now have this new wireless network adapter plugged in it's wlan one i'm going to put it into monitor mode so and again this is super super easy on cali linux if you're doing this in ubuntu you have to install some stuff you have to install wireshark you have to install net tools you oh in our case because the wireless network adapter kept going down and you have to install aircrack ng and once you have those three things then you're able to do this okay so wait explain why we need all for you so we need uh we need wireshark because we're looking at right right we need aircrack ng because we need to put our wireless network adapter into monitor mode and we need uh net tools because it contains ifconfig and i cannot remember how to bring up a wireless network adapter that's down in iw config or ipa right now so i'm just using that so in order to follow along okay that's what you would need um i i know there's a way to do it in ipa i know there's a way to do it i'm sure there's some sys admins in the comments please let us know just remind me what that is but um i know there's a way to put the card into monitor mode and do all that stuff in iw config that's the more modern uh tool that cali wants you to use but i'm just attached to um i'm just attached to ifconfig it's nice so all right so let's put this into monitor mode airmon ng start wlan [Music] one and we can see this chipset is pretty well supported um so we should be fine if i do i have config again or ipa i can see that wlan one mon is now the name of the adapter because it's in monitor mode and if i do i w config i get another view as well we can see um that right now uh it says power management off i'm curious to see if i type ifconfig no it does show up okay so sometimes this won't show up and if you need to do that if you need to bring it back up you can type ifconfig wlan uh one mon up and it should bring it back up so now i'm gonna do wireshark and that's the simplest command ever there you go and in wireshark i have a bunch of different interfaces but this is the one i'm interested in and if i begin capturing on it then i should be able to wait there's a dark mode for this i need dark mode oh yeah i forgot yeah yeah uh so here we go um we're seeing just probe requests we're not really seeing any anything else which is a little bit curious so what's up with that well for one uh we're probably on a different channel so if i look at the 8211 information i can see i'm on channel 10 and if i'm going to add this as a column so if it if you wanted to skip around you need to do that in aircrack and g then that's right well um arrow dump ng or air yeah arrow dump ng oh okay um so i'm gonna apply this as a column and we can see yeah everything's on channel 10 and guess what the party is not on channel 10. um there's there's some stuff going on but it looks very boring it's basically my phone and uh this laptop calling out for networks that it has uh joined before now that's not useless if i wanted to i could probably trick things into connecting so you know if i'm a if i'm a hacker if i want to just use this information to you know try to create a network and get these um and get these wayward devices to try to connect then that should work just fine but let's say that we want to set this up and actually see everything i'm going to go back to my terminal and i am going to split my terminal horizontally because it looks cool and then here i'm going to run arrow dump ng i'll make it bigger no it's nothing a little tiny ng wlan one mon so i'm addressing that wireless network card and now i'm going to put it into what channel do i want to do um actually none let's scan everything yeah so now it's skipping around it's showing all the stuff and if i go back to wireshark then guess what six channel one channel eight channel three i'm starting and so wireshark's automatically interfacing with that i i was or did you have to do a special command uh no no wireshark the the interface was already open okay i'm running so we can manipulate the interface without bringing wireshark down it's all fine um if we bring if we bring the interface down then wireshark is going to be confused and we won't have anything to to bring in but yeah okay yeah so i can so basically i'm connected to two different networks here i'm connected to the network that i have permission to join and i can see traffic on and i'm also uh i'm also not just on the outside uh using this wireless card where i'm just looking at stuff around me so if i want to actually go after a network well that's not too difficult to do so i'm going to on my phone just go ahead and create a wi-fi network uh which i just did and it's going to be called test net so let's say that we're a hacker we're starting from scratch we want to identify this network testnet and we're going to look around we see that there's also beacon frames so there's a bunch of different ways we can start hunting first we can start using filters to make our search easier so if we click here i can see if i bring this up that there's a lot of different information i can expand and one of them is probably going to be the name of this network so if i type so filtered like uh by ss's ssid that's what i'm thinking so here we can see tag sss uh ssid parameter set so let's expand this we can see uh yeah ssid um and then this right here so let's right mouse click apply as filter and selected and now let's just try the try to change this to test that okay so in the top bar there you can start setting the parameters up there right so the top bar remember it all yeah so the top bar is basically um our uh display filter so the display filter allows us to make either a single or compound expressions that let us filter the information to be to make more sense and here we're trying to figure out you know what channel is this operating on and it's pretty definitively now we can see channel six and it looks like it's peaking over to channel seven but if you really wanna start like zeroing in on this network then we can do it on channel six so i'm going to in aircrack ng or airmon or no arrow dump ng press ctrl c go back up add dash c6 and we should now see dramatically more packets from our target because we're going to be not skipping around anymore so let me go down to the bottom um come on down to the bottom uh yeah so we're seeing more packets and the reason we're seeing more package is because we're locked on the channel that this is broadcasting on so instead of just kind of getting a sample of everything that's going on and missing a lot of packets from this network we're now locked on and we're watching this one particular network so okay um there's other ways we can watch this network as well if we've decided that this is what the network we want to watch let's say that we want to watch all traffic going in or out of this network we can use the filters to do that so if we look here we can see some information about this device we can see um the frequency the signal strength which we've done i think we've done another live stream on using the signal strength to create a graph so we can track stuff down um we then we have the receiver uh receiver address which is broadcast that's i'll just puff i'm going to say that like signal strength alone is a useful feature like if you're setting up like wi-fi in your house or whatever and you want multiple access points not like overlap channels and stuff right so yeah so let's say that we we get down here and we also see the transmitter and the source address which is usually the same but not always as someone pointed out in the comments so we're going to take the transmitter address in this case we're going to right mouse click and apply as filter so it's just like the mac address of the access point then or or the device transfer yes so now we're seeing all traffic coming from this mac address meaning we're seeing all traffic coming from um this access point so we're seeing a bunch of beacons well and we'll see anything else now too so before we were just looking for beacons now we're looking for all traffic but we're still missing half of what we're doing here because we're only seeing traffic that's going out what about traffic that's coming in yeah what do we what do we do michael uh we search for the mac address associated with that well what we can do is first we can make a compound statement so um we can do or and then we can take this and basically flip it using a single character so here if we go and put d a that means destination address so then if we're seeing both the transmitter address and the destination address then what that should mean is that we're looking for basically everything so anything coming and anything coming in so we're looking for anything addressed to this network from an outside device and we're also looking for anything that is uh coming out from it so both both ways we should now be able to see that's pretty cool how you can just like do that really quickly from the bar is there like anywhere you can like help commander anything where you can see all the commands that you can use these filters i'm sure well i mean i don't know there's a lot of good write-ups on this um whatever else but i find that like it's kind of hard to find these and um what i do is i just click around i right mouse click on something and then i'll set it as a filter and then i'll just be like oh cool like this you know this is exactly what i was looking for right um so basically play around with it just basically around filters by right mouse clicking on values and then when you see them manipulate them and see if you can make them more useful for example i have a couple saved ones that only will try to match the first half of the mac address so i can identify devices by manufacturer by looking for you know the same string of the first half of the mac address and that allows me to make a list of maybe only apple devices that are broadcasting which so it's very very flexible the way that you can use it and i really really like the way it does that so if i want to add another condition it's going to say i like how easy this is to get up and running but then also it seems like it has a bit of a steep learning curve because you have to have like a lot of intrinsic network knowledge to really take advantage of some of these advanced filters and such right so uh-oh there's nothing and that's because what did you do you broke it code yeah so i added an and oh and that and is actually providing a a logic gate now that's saying okay it has to be to or from this access point but it also needs to be an e pull packet which do you know what an e pull packet is no that's the kind of intrinsic knowledge i was talking about what uh just like knowledge of network oh yeah so that's a handshake okay do you know what a handshake is yes i know what a handshake is but i don't have a fancy name for him all right so i'm gonna attempt to connect to this network now with my other wireless card um i still i hate that there's a micro python device down here and i intend to find it um so we're gonna connect to more networks test net and as we connect i'll need to put in a password of some sort i don't know um and let's see what happens so if i've set this up right then hopefully yeah here we go look at that i yeah so you can also see that it has one one two three four and four and then it looks like it so this is that four-way hand shape this is the four-way handshake but if we were to save this right now then it actually wouldn't be enough to crack this pan and this password do you know why um i don't know so it seems like we have all four um is there another half of it so not not quite so i'm gonna remember this expression but basically um i also need to get a beacon so the way that ssids are the way that um these uh handshakes work is that it takes the ssid of the network so the network name combines it with like the mac address and then like through some formula comes up with this really long number so we actually need all of that information in order to pull off an attack next password so if we go back and we actually have that information there we're just filtering it out right now right exactly so if i go back to this command um then i have like all the stuff that's going in and out of our target network okay great um if i click on it i can see that there's other ways i can set a filter so let let me just collapse some of this um all right so 802.11 radio information nope that's not what i want uh i-e-e-e all right so we can see it's a beacon frame and this is what we can use to filter so i'll apply it as filter selected and this is the other thing we can use so now if i were to put in our previous expression oh my god that's getting long yeah um or whoa all right so what is this monster expression yes so let's walk through this so if we're saying we want to see anything to or from this mac address which is our target access point and it has to be either an e-poll so either a handshake or it has to be a beacon frame so that's everything we should need in order to crack this handshake if i scroll through it looks like all pretty much begins uh and i'm hoping that somewhere nestled amongst yes here nestled amongst these beacons is the precious handshake so what if i am going to save this now so let me stop this capture i'm going to press file um export specified packets i'm going to select the displayed packets and then like pcapp i'm gonna handshake demo one i guess uh i'm gonna save that not in root i'm gonna save it on the desktop where is it desktop i'm going to save it here as and i have a bunch of different options i can save it as a p-cap png i'm going to save it as a p-cap so would speak up just packet capture packet capture file i can do a modified tcp dump whatever i'm just going to save it as this so we'll save it as a pcap file um handshake demo1 dot pcapp and then i'm going to open up my terminal window again i think i already have it nicely split here um okay so let's stop this i can see i also got a handshake here but it knows um but i i wasn't saving yeah is there a reason you might want to use wireshark to capture a handshake over something like aircrack uh yeah it's more nuanced it's it's basically like it's capable of doing all of this stuff whereas aircrack ng or aero dumping jeez is basically designed to do one exact specific thing so if this just comes up in the course of something else you're doing and you happen to see that there's handshakes going out you can capture them in wireshark see that they're valuable and export them and run them the exact same way so it's just a much more powerful gotcha um so let's do arrow dump well first let me ls arrow dump mg no sorry aerocrack ng so you could pretty easily like take a raspberry pi or something like that stick one of these network adapters on them and then like just leave it somewheres to capture all the packets uh going through a network yeah you could so i'm gonna use this password list let's see and let's see if this works oh that worked so fast that i okay well that didn't take much time at all did it best password ever okay so we were able to get the password almost instantly admittedly i didn't use a very long password list um if i look at the other ones we have let's do rocky that'll at least like you know run for a minute uh but i would think one two three is like really close to the top we get a little bit of drama yeah okay see we got three we got we got we got point zero two percent of the way through the list yeah so it's not maybe the best password ever you might wanna change that if that's your password but we used wireshark to get the information we needed and we exported it with the beacon frames so that we could run this successfully because if you just export the handshake it's not going to work all right so let's take this to the next level we now have the password which is password123 um what can we do uh in wireshark to take a peek into a network that we're not actually a part of so if i press start again i'm going to shark fin is start yep shark from the start i'm going to continue um continue without saving we're still on the outside of this network looking in so if i go to um settings or actually preferences i think where is it maybe i have to stop to do preferences i'm just gonna stop uh preferences no no no no no no options no merge file set wait where are preferences edit preferences so essentially what you're doing is logging in preferences the last one what no control shift p yeah i am not logging into the into the network at all no okay absolutely not so this will not leave any science on the network i am basically decrypting packets on the fly so no okay so basically no if you if if you want to think of it in different terms it's like people are sending mail back and forth and you're like intercepting the mail opening it you know exactly so no one knows that oh hey human men in the middle of this all right so here we can see protocols um and there are a lot of protocols that are supported by pi wireshark and scrolling through most of them do not look familiar at all yeah so what are we looking at yeah so we're looking at tons and tons and tons of protocols so i'm going to type in i and what we're looking for is i believe ieee yes 8211 and this is where all the wi-fi options are so we can see reassemble fragmented datagrams ignore vendor-specific block call blah blah blah blah we don't really care about this uh ignore the protection bit no um enabled wpa key override don't know what that is now what's this enable decryption that sounds exciting right so if we click on edit encryption keys um we can see that there's none here okay so a sad state of affairs can you just like input password one two three or do you have to like so i click on uh the plus button it'll give me options and then there's three different ones wep key a wpa password and then a wpa psk now the wpa psk works best i find and there's a couple different ways you can calculate this i don't know why wireshark doesn't just calculate it for you it's maybe there's some extension that does i don't know there's websites that will do it so if you just type the password into the website it'll give you the psk with the ssid in our case let's try the um pwd um this may work it may not i've had it not work in the past i've also had it worked in the past so here's password one two three password yeah press ok press ok and then now it should be attempting to match um or basically it should be attempting to decrypt packets that are going to or from this network so i'm going to remove these filters so back to looking at everything that's going through and then i'm going to go back to the bottom um is there a good way to distinguish which ones are encrypted and which ones are decrypted continue without saving all right so now we're up and running we've got our new settings in place um and we are listening in so all right so yes we will begin to see like http and stuff like that that is a sign of something that's unencrypted so there's still something that we're missing now we need to be able to capture the session key and that means that we need to have someone actually connect to the network while we're listening so that's where we might use a more aggressive tool like uh author or something like the author or something like that to actually kick somebody off the network and cause them to momentarily disconnect and then reconnect and if we can capture that exchange then we should have enough information to start to look inside what is actually going on in the network and so you can do this retroactively like if i if i left this somewheres and captured like files or packets all day long and then eventually crack the password right yeah so this can be this can definitely be done passively um there's no need to do this you know uh like aggressively if you don't want to as soon as you grab the right information just by lurking around you can actually get and start looking at it so let me see if i can find any http information um and if you don't find any http information it's generally a sign that you might have a problem when we have something like this so i'm going to go to an http website mydoogle.com my google.info is not a real page type some stuff in continuay and then i'm going to verify also that i'm on testing yes i am what am i looking at um this is a shout out to our viewer um from france uh yes daisy lay it didn't work so let's look in wireshark we're still not seeing anything and this could be a result of a lot of things one of them is the psk might be a better thing to put in at this point so uh if i want to do and so you were saying the psk is just like that hashed uh it's like the password with the mac address and ssid all combined together yeah wireshark literally has a psk generator on their website but like not on that seems a little silly password123 test nets generate psk oh stop it no script just let it silly no script making my life harder look at this animation powering up okay that's the psk it's long isn't it yeah okay so now we're gonna go here we're going to go to preferences again i'm sure there's some fancy math stuff going on there yeah well it's just a hash of those things so we go to protocols again we go through this giant long list to i e e e e e e e e um eta to eleven and then let me go into the decryption keys let's add one and just say if you didn't figure that one out then here it's this isn't it called ieee i added some extra ones for panasonic look boom there we go that was nice so now and that's where we can see like the get request and the put and http sure can so suddenly we can see all the stuff that was previously encrypted um because we managed to get as soon as the device joined we were able to see that yeah and to be clear you're not connected to this at all so like if i were on this network i would not be aware at all that you were looking at this information yeah so i can start to see http information i can dig into it and see what was transferred hypertext transfer protocol what did it just says okay how boring but i can see headers i can see like other information and i can start to even see the websites someone's going to so i can probably also see if i just get rid of these filters entirely then we can just see like what's going on over the network so let's try um going to what's some random website mydoogle.com wouldn't you really like my vertical background see if we can load it and we're able to get some information so i see some http stuff actually i know i want to see it again do you have anything continuation response okay what about dns so if we type in dns then we can see dns requests and this is probably the most revealing because we can see right now that lots of stuff is going on um we see our previous uh hey rubicon project i know i know the guy that works there okay so we're just being served very aggressive ads the rubicon project um yeah and this is we can see a beacon is being sent to walmart.com okay uh yeah so a lot of this is just information that's being loaded as we go to the oh my google.com see so if i let's um let's see if we can drill down and then start looking for specific instances of websites i actually haven't done that before but why not right i was gonna say this is a clear demonstration in my mind of why everyone needs uh dns over https oh absolutely give all that to cloudflare they deserve it give all of your privacy to cloud players definitely give every single bite of data to a third-party vendor that's never gonna sell it i'm short or have a breach yeah well i mean even if you're not using their service like it's like a standard though right so like if you could encrypt this data with https like i don't see but law there all right apply as filter selected what is this dns query name my google.com so we can see all dns query results from my google.com so this is like this is a lot we've gone from totally outside the network to getting the network password to breaking into the network and now we as an attacker on the outside of this network we're not doing arp spoofing nothing we're just like watching on the outside and decrypting on the fly we can see this stuff so let's say that i want to go i want to trigger any time that i see someone going to um my google.info the notorious other website so currently there's nothing right no one's going to go to that website it's not real but if i go to my google.info god i hope this is child appropriate nothing there but we can see that somebody was trying okay that's pretty interesting right so we can monitor in real time what's going on this way and if we want to we can also see for example what's going on in the background so um do you happen to have your phone with you uh yeah so if you want to see this is probably one of my favorite examples um go ahead and just connect to testnet the password is as you know password123 i'm gonna put dns and let's take a look at some of what happens when we have a mobile device connected and i think that this is a great way for anybody who's interested in privacy to be able to take a look at if they were connected to let's say just a starbucks network something like that exactly what's happening uh because this is also something that could be happening on your network if you don't have a strong password okay i'm on test that okay cool looking up different infos on the app uh okay uh let's see if i go down is this all the way seems like it's still moving i'm not seeing it yep here we go um so it looks like i don't see you are you using a vpn uh yes i am there you go no i know i i i think i am yeah because uh google phi my carrier uh has a built-in oh yes give all your information to google the best vpn of all time google network tool no wait no uh no i don't think i have a vpn on actually interesting interesting okay so uh i can try another app yeah try it or just try it honestly we should be seeing some stuff resolving yeah i'm connected to test that just for google's i'll turn off my mobile data um what's uh nice app to open flight radar anything yeah i mean if this was uh properly connected or if we were seeing i mean if i go to fightwriter.com yeah i was also opening uh dark sky which is like a weather app we're going to see all sorts of stuff oh look at move temporarily oh we're actually we're even seeing the response i misspelled it didn't i yeah you definitely yeah i know it's flight radar 24 sorry oh that's really funny it's just like please give us ten thousand dollars but i can see that my re my small tone has moved temporarily and all this other stuff but so this that's the difference between you know having someone connect and being able to get their session key and read all that stuff and someone who is using a vpn perhaps or otherwise uh yeah isn't uh just exposing all their data so if i were to throw on a vpn start using tor or something like that then i would be able to actually evade this but i could also you know um start looking for tour packets and identify that somebody maybe was on the network using it and i think this is a pertinent point to reiterate that like all of this you should only do with networks that you have permission to because this would be highly illegal if you were doing it on a network only part of this that the legal is cracking the password yeah if you know the password to a wi-fi network and you want to start sniffing away it is absolutely legal in the united states as far as i know um if you live in some we are not lawyers we're not giving legal advice i'm not a lawyer but i will tell you that it's perfectly fine to do um if you're in the united states you are allowed to sniff uh passively sniff meaning you're not joining network you're just detecting and descripting packets i mean why would it be illegal you know if packets are going out over the airwave if you grab them and just work some map on them i was going to say this is that if you're passively recording this too isn't this like how um like uh shopping malls and stuff will like track you through the store by tracking your um signal strength from multiple locations yes and logging that over time you can track a device pretty accurately with just some simple triangulation so one thing i also want to go through is just you can also take a look at once you're inside the network resolved addresses um so we can see different ports that were resolved we can see uh hosts that were resolved um it's it's a really wait wallet why is it not showing anything um we can see endpoints i want to see protocol hierarchy conversations um so here we can see conversations that were going on between different websites um oh wait is am i still running i think maybe i can't run i think maybe i can't do this while it's still running let me press stop so statistics capture file properties resolved addresses is it going to populate now [Music] statistics uh i o graph oh this is actually useful when we're running this is how we were able to uh determine spikes and signals so we would be able to generate crops from pretty much any data there uh yeah there seems to be a lot a lot of features that you could spend a lot of time oh my gosh so much here we go up at the top all right so here we can see a list of ipv4 conversations so we can go back we can see back and forth uh oh and also there's something on here that um where is it there's a ability to resolve um ip addresses which i think is great but you should be aware that it will attempt to resolve those so like it might be when you request to actually just like figure out the website name yeah so like it'll actually show you where a particular connection was made to because it will actually go and resolve these domains so i'm not actually a hundred percent sure one name resolution this would be grayed out for some reason yeah i don't know why but uh i still think it's really cool that you can go through and see you know okay like what was someone resolving to what's the most common ip addresses that were resolved to you can see address a address b and these are all the conversations that were recorded uh so for anybody that's digging into these sorts of conversations i think that's super cool and you can also expand the type that are included by going through this menu wow oh you can actually look at that's uh zigbee oh so that would be interesting to look at like a smart home network or something with zigbee and z-wave and see like what's going on definitely definitely and i'm a little disappointed that it's not resolving um the the names because i find that so funny um but yeah all right let's go ahead and close this one i was gonna say we may actually have to uh explore some of the further features in the future yeah how much time do we have after uh we are 50 minutes in wow okay so this is one last one i'll get back to the wlan traffic i think is probably the most interesting from the outside perspective uh you can very quickly see what devices are requesting so if there's a particular network nearby devices really want to join you can see which networks are the most popular and you can also see when they're being used and how much so as i said earlier you can also take any of this data and turn it into a graph you can turn it into a filter and i think that that's really cool so wireshark is a great way to be able to get around your wireless environment both by identifying a network you want to listen in on and then if you know the password or if it's an open wi-fi network actually be able to see the contents of communications and do a lot of interesting stuff there cool yeah so what do you think about wireshark now i mean i think it's really powerful like i said a couple times so like it definitely seems the kind of thing like you can you can lose yourself in if you don't know what you're looking for so i would definitely like have a question in mind or just have a lot of free time when you're going in to like spend looking around i think it's like the kind of thing that you should if you're if you're wanting to get into wi-fi hacking it's definitely something you need to learn but it's definitely probably something you should take a weekend and sit down with some like test networks and just explore and that might and then maybe you know watch some of these types of videos and that'll help give you a like guiding star yeah and we didn't get into some more advanced examples but other things we can do is for example if someone was watching a webcam on this network we would be able to provided the connection they were watching it over was using http actually see the images in real time and download them using wireshark so this isn't just doing things like you know watching on the outside of the network we can analyze protocols in detail identify protocols of interest like jpegs or http data that we can read in plain text and then actually download these files or videos even as they're being streamed oh so if you had like a surveillance network on the the same wi-fi or ethernet network then you could potentially eavesdrop on that yes absolutely so if you have somebody streaming to like a like an interface that's showing the feed of the camera that's some real movie hacker stuff it is it is so being yeah being able to look over the shoulder of someone and see these images i think is really really cool but you have to take the steps that we did today which is first identify the network you're interested in then actually grab the handshake which can just be kicking back and waiting for someone to connect cracking the password putting the information into wireshark making sure you're decrypting with the psk and then as soon as you have that accomplished listening for the individual session key of someone connecting and recording everything and decrypting it from there on so there's a lot of kind of things you have to do to get to the point where you can see absolutely everything going on in the network and there's of course still carve outs where you can't see stuff that's protected by ssl and you can't see stuff that's protected by the vpn but aside from that it still gives you access to things like uh dns that will tell you where the person is going so if i wanted to fire up better cap i now have all the information about where the traffic of the network is going already and i can start selectively redirecting certain websites and popping up phishing versions of the same pages i was going to say um if y'all are interested in us like doing some of the ssl downgrading or like exploring some of these other advanced features that cody's talking about let us know in the comments that way we uh know which episode you'll want to see in the future i don't know how to do that but i'd have to figure it out yeah no no i mean it sounds really interesting to me because i i do obviously there's a trend towards ssl and https everywhere so like at some point these sorts of attacks are going to stop working unless there's other attacks on those no no you don't think no because like if i don't want to mess with ssl i just redirect someone away from the ssl website to a fake website that has ssl and no one's going to like go and like look at the ssl numbers and figure out that it's like different like interesting there's ways around ssl and like if i know you're going to you know google.com as all of us do then i probably would be able to even if it's using ssl just pop up a fake version of google.com redirect you to that one and then provided it has little lock and doesn't give you a warning how would you know the difference yeah that's what i was going to say is so like it would be that would be a fun episode even is like how you can man in the middle so like you're basically taking information from the target and then passing it through to the real website but presenting yourself as the the legitimate website yeah that's a more advanced attack and our friend ian did that one yeah so maybe we could call on him to show it off but yeah there's definitely more advanced ways of doing that that bypass ssl by just taking you to a fake version of the web page rather than actually trying to attack the math behind the encryption because it's pretty good yeah cool sounds fascinating yeah all right so that's all we have for this episode another big thank you to varonis for making sure this series continues on and if you're interested in other free resources by veronis you should check out the ad powershell workshop which is a great way to get started scripting in powershell for active directory as well as some of our cyber attack labs uh we even did a live stream on the attack laptop oh we did yeah yeah we even adapted one of the attack labs for a live stream so if you want to check that out take a look at our live stream on attacking windows systems and uh cracking kerberos tickets in order to basically do a bunch of bad stuff while pretending to be a backup system which is pretty cool yeah thank you michael for joining us today i hope everyone enjoyed this introduction to wireshark and all the great stuff it can do and uh make sure to follow me on twitter codykinsey and let me know if you have any other ideas for the show because i'd love to hear feedback and i'd love to hear new ideas cool we'll see you guys next time bye you

Info

Channel: SecurityFWD

Views: 15,810

Rating: 4.9477124 out of 5

Keywords: wireshark tutorial 2020, wireshark ip sniffing, wireshark tutorial, wireshark tutorial 2019, wireshark ip, wireshark no interfaces found, cyber security, how to hack wifi

Id: 1x31YZ7DVCM

Channel Id: undefined

Length: 67min 55sec (4075 seconds)

Published: Tue Jul 28 2020