How Sniffing Works? (Practical)

Transmission of data over HTTP makes the data vulnerable to MITM attacks. Security admins and hackers can sniff the network issues, check security problems, and debug protocols. Tools like Wireshark can be used for sniffing the HTTP traffic between user and the web server.

As an ethical hacker, you should know how to perform security assessment and troubleshoot the issues that can cause attacks.

1. Open Wireshark.

2. Double-click on the Ethernet interface to initiate the capturing of network packets.

3. Wireshark will start the process and capture the packets created from the traffic received and transmitted from the machine.

4. Start the target machine.

5. Open a browser like Chrome. Enter the URL http://www.moviewscope.com in the URL bar and visit it.

Enter the below credentials and click on Login:

Username: sam

Password: test@123

6. Open Windows Server 2016. In Wireshark, choose Capture > Stop from the menu bar.

7. Choose File from the menu bar and click on Save.

8. Choose a destination for file saving, like Desktop. Enter a filename (Password Sniffing) and choose format (pcapng). Click on Save.

9. Write http.request.method == “POST” syntax in Filter for filtering the HTTP traffic. Click on Apply.

10. From the packet details, expand the HTML Form URL Encoded. Wireshark will show you the password entered by the users. 

11. Wireshark will capture the traffic related to the network. 

Now, let’s learn how to configure Wireshark for capturing traffic from only the victim machine.

For this, login to Windows 10 machine from Remote Desktop Connection and initiate Remote Packet Capture Protocol v.0 (experimental) in Services.

Close the remote desktop connection in the Attacker machine in Windows Server 2016. Next, you need to configure Wireshark for capturing traffic coming from the victim machine.

Close the windows open during the previous task.

12. Open Windows Server 2016. Click on Search and write Remote Desktop Connection. When it opens the results, click on Remote Desktop Connection.

13. Click on Show Options.

14. Write the Windows 10 IP address in the Computer field. Specify the username (martin) and click on Connect.

15. When the Windows Security dialog box comes, enter the password (apple) and click on OK. 

16. In the next step, click on Yes.

17. Now, open the Search bar and search for Services. 

18. Open the Services and right-click on Remote Packet Capture Protocol v.0 (experimental). Click on Start.

19. Close the Services window and disconnect the remote desktop connection. Open Wireshark in Windows Server 2016. From the menu bar, choose Capture > Options.

20. When the Wireshark Capture interface window comes, click on Manage Interfaces.

21. From the Manage Interfaces window, choose Remote Interfaces and click on Add.

22. When the Remote Interface window comes, write the target machine’s IP address in the Host field. In the Port field, write 2002. 

23. Under Authentication, choose Password authentication. Enter the credentials of the target machine and click on OK. 

Credentials:

• Username: martin

• Password: apple

It will add a new remote interface on the Remote Interface tab. Choose the host and click on OK. 

24. In the Wireshark Capture Interfaces, you can view the recently added remote interface. Checkmark the interface with the IP of the target machine and uncheck the other interfaces. Click on Start.

25. Open Windows 10 machine and enter the credentials of Martin account. Press Enter. 

26. Open a web browser and visit the moviescope.com website. 

27. Open Windows Server 2016. You can see that the packets have been captured remotely. 

28. Once you are done analyzing the network traffic, stop the packet capture and close the app windows.

Capsa is an application that helps in network analysis of LAN and WLAN. It analyzes the network in real time, with features like 24/7 monitoring, advanced protocol analysis, in-depth packet decoding, etc.

In this practical, you will learn about information gathering of the target, network traffic analysis, communication monitoring, network problem diagnosis, network security analysis, network performance detection, as well as network protocol analysis.

1. Go to Module 08 Sniffing\Sniffing Tools\Capsa Network Analyzer and double-click on  capsa_ent_demo_10.0.0.10038_x64.exe.

See the steps to install the Capsa Network Analyzer and launch the application. 

In case you see the Open File - Security Warning pop-up, click on Run. if the wizard asks you for system restart, choose Yes and restart your system.

2. Once it is restarted, open the Capsa app from your desktop.

3. When the Colasoft Capsa 10 Enterprise Demo wizard comes, click on OK.

4. From the Capture tab, checkmark the network adapter (here Ethernet). Click on Start to initiate the analysis of the network.

5. In the Dashboard, you can see the graphs and charts of the stats.

6. In the Summary tab, you can see the general analysis and statistical information of the chosen node. 

7. In the Protocol tab, you can see the statistics of the protocols used in the network. It will also show the Physical Endpoints and IP endpoints of the chosen network.

8. In the MAC Endpoint tab, you can see the statistics of the MAC addresses in the network.

9. In the IP Endpoint tab, you can see the statistics of the IP addresses in the network. It also shows the nodes with maximum traffic volumes.

10. In the MAC Conversation tab, you can see the communication between two MAC addresses.

11. In the IP Conversation tab, you can see the IP conversations between pairs of nodes.

12. To see the complete analysis of packets between two IPs, double-click on a conversation. A window will open showing the full packet analysis. Close the window once you have done the analysis.

13. In the UDP Conversation tab, you can see the real-time status of UDP conversations between two nodes.

14. The Matrix tab shows you the nodes communicating in the network with graphical representation.

15. The Packet tab will show you the information about a packet. You can double-click on a packet to see the full analysis information of packet decode. 

16. In the Packet decode, there are two views: Hex View and Decode. Once you are done analyzing the packet details, close the window. 

17. In the Report tab, you can see the statistics reports from a global network to a particle node. 

18. Once this is done, click on Stop.