- In this video I'm gonna show you how to download and use Wireshark. Wireshark is a really important tool if you wanna see what's
going on on a network. So as an example, seeing passwords or other information on a network. (techno music) In this example, I'm using Windows 10. I'm gonna open up Microsoft Edge and to go Google.com and
do a search for Wireshark. First hit is Wireshark.org
so you could just go directly to Wireshark.org,
if you wanted to, and then click download
to download Wireshark. What I'm gonna do is select
the Windows installer 64-bit because that's what I'm
using in this example and I'm gonna click Save. Wireshark is now downloaded
so I'm going to click Open Folder to open my Downloads folder. And as you can see here,
Wireshark win64-bit, version 3.03 has been downloaded. I'm gonna double click
on that executable file, click Yes to install the application. Now you can change some of the options when you install Wireshark. I'm gonna basically
stay with the defaults. You need to agree to
the Wireshark license. I'm gonna click Agree. Wireshark is free, you
don't have to pay for it, but you do need to agree to the license if you want to use it. Components to install, I'm
gonna stay with the defaults but essentially Wireshark is
the graphical user interface that we want to use. TShark is a command line interface, very useful if you want
to use Wireshark without a graphical user interface. I'm gonna click Next. I'll keep the defaults but
also add a desktop icon, click Next. I'll stay with the default
installation directory, click Next. Wireshark either requires Npcap or Winpcap to capture live network data. I'm gonna stay with the
defaults and click Next. USBpcap is required to
capture USB traffic. I'm not gonna use that so I'm
gonna simply click Install to install Wireshark. As you can see, Wireshark
is now being installed on my Windows computer. You essentially need to just wait for that installation to complete. So a whole bunch of files are installed. Now the Npcap license
agreement is displayed. You need to agree to that as well. You can specify various options but I'm gonna stay with the
defaults and click install. Once you get used to Wireshark and you use more advanced features, you can select some of the other options but again here, I'm
just using the defaults to allow Wireshark to make
changes to my computer and install as an
example, Loopback Adapter, on my Windows computer. So as an example, in Control Panel, if I look at my network and internet, what you'll notice is I have an Npcap Loopback Adapter installed. So under Control Panel,
Network and Internet, Network Connections, I
have my ethernet interface, Ethernet0, which is Network 2 and I have an Npcap
Loopback Adapter installed and that was installed as part of the Wireshark installation. Click Next, click Finish. So Npcap is now being installed. Wireshark installation continues. As you can see there, my Wireshark icon is now displayed on my desktop. A bunch of files are extracted and notice the installation is complete. Click Next, click Finish. That's how you install
Wireshark on a Windows computer. All I need to do now is start it up. And notice I have two interfaces, Npcap Loopback Adapter and Ethernet0. This shows me that
there's a lot of traffic being seen on that ethernet adapter so I'm gonna simply double click that. Now note, if the network is
busy, which this network is, you'll see a lot of traffic in the output. It could filter, as an example,
for some type of protocol. EIGRP is a routing protocol and I can see hello messages for that protocol. If you don't know what
that is, don't worry. OSPF is another routing
protocol, so I can see that. So there's a lot of
traffic in this network but I'm filtering to only
see certain traffic types, in this case telnet. So what I'll do in this example is telnet to a device on my network. So I'll telnet to 192.168.254. Notice we can see telnet
traffic in the output now, previously we didn't see that. I'll put in my user name,
which in this example is wireshark, and I'll put in my password. And notice I've connected
to a 3750 Cisco switch. Show version will actually
show me that output. Now if you haven't worked
with Cisco devices before, don't worry. Basically all I've done
is telneted to a switch in my network, a device that
I'm physically plugged into. You would see something similar if you had telneted to a router. But notice here's the telnet data. I can, as an example, have
a look at the telnet data. I can see here user access
verification asking for a user name, my PC with this
IP address, 192.168.1.85, is sending data to the switch. The switch then replies. So as an example, notice
the data sent here is wi. That's echoed back, in other words, I'm sending data to the switch and then it's sending it back again so that it displays on the screen. So scrolling up here, I could actually see my user name displayed and that's what's being displayed here so that's the e in Wireshark. That's echoed back. And then, if I continue, you'll see the user name, wireshark. And then the switch
prompts for the password and what you'll notice now is my password is sent to the switch. Now there's a much
easier way of doing this. If I click on one of the packets and then click Follow, TCP Stream, I'll see the entire stream. So as an example, the blue is
what the switch is displaying, the red is what I'm typing. So hence you see wireshark
typed twice there but notice the password
is only displayed once because the switch didn't
echo that back again. There's my show version command. So I typed sh space vr
and then I pressed tab and that's what was
displayed and then the output of the command was displayed there. Now, as an example, on this
switch, if I typed show run, and don't worry too
much about this command, all I want you to see is
that I can see information in real time in Wireshark. Notice here is a user name called Bob, here's a user name called Wireshark, both with a really bad password of Cisco. This password David is using encryption, that's much better, that's
what I should be using if you're using a Cisco device. But once again, if I
click on a telnet packet and then go Analyze, Follow, TCP Stream, you can see all of that
output in Wireshark. It's being captured by
Wireshark and I can view the user names and passwords. Now in my Wireshark course
I talk more about this and show you how to hack
protocols in more detail using Port Span, as an example. So here, it's fairly easy
to see what's going on because my device is sending
the traffic into the network and receiving the
traffic but it you wanted to capture packets from other devices, you need to enable Span or something else in your network so that you can see those packets and have
visibility of what's going on. But what I'll do here
is open up a web browser and go to this website, ox.ac.uk. This is the University of Oxford. Now this is really bad, websites today shouldn't be using HTTP,
they should be using encrypted HTTPS traffic. So what I'll do here is
exit out of the switch and just to show you the
IP address of that website, I'll use nslookup, so nslookup ox.ac.uk. Notice the IP address here, this is the IP address of the server. So I should be able to filter for 129, there it is over there. So I'll right click on
this and I'll select this as a filter so I see just
the traffic to that server. Now I don't have an account on the server but if I was asked to login to the server and it was sending the traffic via HTTP, I'd be able to see those passwords. Notice when I clicked on staff, it took me to another domain
name and this one is encrypted, HTTPS, but if I go back, notice ox.ac.uk is in clear text. It's bad practice today to use clear text for your websites, they
should be encrypted. So let's do another example just so that you can see a login. I'm gonna connect to that switch again and notice here I'm asked
for a user name and password. So I'll use my user name of
Wireshark, password of Cisco. That will log me into that switch. So let's just search
for that IP destination equals 192.168.1.254. So now what I'm doing is
I'm looking for traffic to that server, which is the switch. And what I could do is
filter that for HTTP. So let's go and HTTP. So I filtered that right down. Notice authorization here is displayed and notice there's my user
name, wireshark, and Cisco. But what I want you to see is you can see the user name and password in clear text because HTTP is clear text. Okay, so I hope you enjoyed this video. If you did, please like
it and please subscribe to my YouTube channel,
that really does help me. I'm David Bombal. I want you wish you all the very best. (techno music)