Sniffing Usernames, Passwords, and Web Pages

Transcript:

Wireshark is a packet sniffing program that network administrators can use to isolate and troubleshoot
problems on the network. It can also be used by someone with malicious intent to eavesdrop on network
communications and capture sensitive data like user names, passwords, the types of web sites that people
are visiting and the types of things they’re looking at, their email– all kinds of things. So Wireshark can be
used in a very positive way to help troubleshoot network problems or it could be used in the wrong hands to
eavesdrop. Let’s see how this works.
I have a diagram that I’ve created here to show you this scenario. The scenario is this: this is my computer in
the center, Dan’s Computer, and I have two network connections. I have a wireless connection going this
way, and I’ve got a wired connection going this way. I can use Wireshark to capture traffic crossing either one
of these network interfaces, so all traffic that leaves my computer on this network interface wirelessly I can
capture. Also, traffic that comes across my interface from the network coming into the interface, I could
capture that as well. Also, same thing with this network connection. So what I want to do is, is I want to
generate some traffic from my computer, and I’m going to send and receive data and then I’m going to
capture that data and take a look at that data. The protocols that we’ll be analyzing are Telnet, SSH, FTP, and
HTTP. And FTP and HTTP connections will happen off the Internet and the Telnet and SSH connections will
be happening from a router that I’m going to connect to, and then I’ll capture that traffic as it leaves my
computer and then also as it returns. So this should be a fun exercise and show you a little bit about how
Wireshark works.
So Wireshark’s really easy to use, actually. All you have to do, first of all, is tell it which interfaces you want to
capture. So if I’m going to, let’s say, Telnet into the router, I’ll go up here and I’ll say, “Capture Interfaces,” and
then I’ve got to pick the correct interface. Now, I have a bunch of virtual interfaces here, so I have to, first of
all, look closely at which interface I want to use right now. So my wireless connection, that’s for going out to
the Internet. Right now my local area connection, my gigabit network connection, is the one I want to use, and
you can see traffic flowing across it a little bit right now, but this is the one right here, gigabit network
connection. So I’m going to select it, and I’ll press Start, and now I’ll start capturing traffic on that interface. So
now what I can do is, I can get a connection. So what I’ll do is, I’ll open up PuTTY, and I’ll Telnet into the
router, so I’ll choose Telnet from PuTTY, and I’ll put in the IP address of the router, “192.168.0.1”.
Now, I’m capturing all of this traffic right now. So here is the Telnet session. I’ll put in my username, which is
“admin”. And then I’ll put in my password, “Cisco12345”. And you can see I just got into the router. Now I’ll go
to privilege user mode–“enable”. And I’ll put in the next password, which is “DansCourses”. And now I’m in
privileged user mode, and I can start executing commands, like “show me the IP routing table”, or something
like that, right? Okay, so now I’m done, so I’m going to stop capturing. So I’ll press the stop button here, and
you can see that I’ve captured just a ton of packets here. See that? All these packets here.
Now, let’s say I was snooping or eavesdropping on the network, and I’m interested in possible network
management connections and usernames and passwords, and seeing if somebody was using a protocol like
Telnet which is not encrypted and would possibly give away that information. So all I’d have to do is go really
quickly here and say, “I’m interested in the Telnet protocol,” and this is my filtering tool right here. See, it says
“Filter”? So I put in “Telnet”, click Apply, and it’ll isolate only the packets that were using the Telnet protocol.
And by doing that, we can take a look at the different types of communications that were happening. So as
you can see, I can open this up, and we can start looking at each packet. So Telnet. Let’s see here. Telnet.
Telnet. Look at that. Telnet–and if we look in this window right here, you can see, these are returns, User
Access verification\\r\\n, username, and if I go to the next packet, and the next one, and the next one, and the
next one, next one. Eventually we’ll see something here. Data: A D M I N Admin. And then, password. And
we’ll keep going down here. C I S C O 1 2 3 4 5 Each character is sent separately, each keystroke sent
separately in a separate packet here, but you can just put them all together, and you can see the entire
situation. I could also take this Telnet communication, and I’ll take this packet and I’ll say, right-click and
choose Follow TCP Stream, and we can see the whole thing right here. User access verification, username,
you can see here, admin; password, Cisco1234; then here’s my Enable command. Now, the letters are a little
funky here, split into red and blue, but we can see that the command was Enable and the password was:

DansCourses. We can also see the output from my Show IP Route command and the type of output that the
router generated. Everything here was basically in plain text, so we learned that Telnet is not a very secure
protocol to use for remote administration. If someone happened to be eavesdropping on the network and
picking up that data, it would reveal both my username, my password, and all the commands that I’m giving.
So I’ll close this and I’ll close PuTTY, and I’ll execute the same scenario, but this time I’ll use SSH.
So… I’ll press Capture Interfaces. Same Connection. Start. I want to continue without saving the previous
capture. I don’t need to save all those packets, so I’ll say “Continue Without Saving.” I don’t need also just the
TCP steams, so I’ll clear that so that we can see all types of communications here, and I’ll open up PuTTY
once again, except this time I’ll use– instead of Telnet, I’ll use SSH, put in the IP address, and click Open,
and I’ll log in again as “admin”. And I’ll use the same password, “Cisco12345”. Gets me in. “Enable”. And the
password: “DansCourses”. And then a command like “Show IP Route”. Now let’s stop the capture. We’ve got
all of our data here. You can see right here, SSH version 2, the protocol, encrypted request packet. Let’s–first
of all, let’s filter for SSH. “SSH”, and click Apply. And so these are all the SSH packets. Key exchange
initialized. Diffie-Helman key exchange. This is the key exchange. New keys, client keys. Encryption, AES
256. And we’re looking to see if we can… Here it is. So here is something sent from me to the router,
encrypted request packet. See here. I’m not going to be able to pick up any information here and figure out
usernames and passwords or anything like that. And if I go up to the top and I say, “Follow TCP Stream,” we
can see in here that all of the messages if we follow the stream, it is entirely encrypted, and I’m not going to
be able to figure out exactly what types of information was sent across the network. That was SSH and
Telnet.
Now, what about FTP, file transfer protocol, and HTTP? So let’s say I wanted to connect to an FTP server on
the Internet. So I just happened to have one here that we can use. So I’ll open up a FileZilla connection to my
web host, “ftp.danscourses.com”. I’ll put in the user “[email protected]”. I’ll put in my password:
“wiresharkGR8”. And this will be a port “21” connection to FTP, so before I connect, though, I want to start
capturing. So I’ll say Capture Interfaces, except this time I’m going out to the Internet, so I’m not going to use
the local area connection. I’m going to use my wireless connection. So I’ll select the wireless connection and
press Start. So now I’m capturing web traffic. There we go. Let’s start our connection now. Quickconnect. All
right, it’s connecting to my web host online, and it already submitted my username and password, and I can
now examine the files on my web host. I’ll stop the connection– or stop the capture, and I’ll close my
connection to my web host. There we go. And let’s take a look at what we have. So here is the captured
packets.
As you can see, it’s a ton of information. All we’re interested in, though, is FTP. So “ftp” is the protocol I’m
interested in, so I’ll filter for FTP, and you can see right there; we don’t have to look very far. Look at the
second line– User: [email protected]. And then password– it says “pass” right here–
WiresharkGR8. So there it is. Done. That was quick. If we follow the TCP stream, you can see all of the
information here, and, yeah, there you go. There’s the username and password. So FTP is not secure. So
what have we learned? We’ve learned that Telnet’s not encrypted, not secure, SSH is encrypted, and that
FTP is not encrypted.
Now, what about HTTP traffic? If someone was eavesdropping on your network and they were sniffing
packets, could they see the web pages that you were looking at? Absolutely. Let’s take a look. So once again,
I’ll Capture Interfaces, and I’ll capture my wireless network connection. I’ll hit Start. Continue without saving.
So now I’m capturing traffic. And let me clear this, because we don’t want just that stream. Okay, so we don’t
want to filter yet. And open up a web browser, and I’ll go to “DAlberghetti.com”, my website. I know, because I
have a simple picture here so it’s a good one to go to. And then I’ll go to my website here,
“danscourses.com”, and I can hit a couple of pages, and I’ve got some images here. And there should be
some graphics. There we go. All right, sounds good. So I’ll stop the capture, and let’s say I’m interested in the
types of images that I happen to be looking at.
Well, what I’ll do is, first I’ll filter my captured data, all the different protocols and packets that I captured. This
time I’m interested in HTTP traffic, so I’ll click Apply. These are my web requests. So I’m interested in, let’s
say, maybe images that somebody’s looking at. So I could say–and just scroll down and start looking for the
types of files like JPEGS and PNG files and GIF files and things like that. Let’s see if we can find one really
quickly here. All right, there’s a PNG request here. There’s a PNG file here. This looks like it was from my
website. Let’s see if we can get that first image. There it is. Right here, “get”– this is the call to get my image
from my website. On the next line, it says right here, “JPEG image.” So what it can do is, is highlight this.
Then I’ll go down in this second window area, and there is the JPEG file right here. This what I’m interested
in, so I’ll just right-click on this JPEG, and I’ll say, Export Selected Packet Bites and Raw Data, and I’ll just
choose a name, “image1”, and I know it’s a JPEG so I’ll put “.jpg” and save it to my desktop. Now I’ll scroll
down and look for some other images that we can take. Go here, scroll down, media type, image JPEG…
Export Selected Packet Bites, “image2.jpg”, save. Here’s a JPEG image right here. JPEG File Interchanged
Format. That looks good. Export “image3.jpg”. And this last one… Export Selected Packet Bites, and I’ll name
this “image4.jpg” and save it to the desktop. So I have highlighted a couple of different images by looking for
them here and exported them to the desktop.
Let’s take a look at what we found. So we’ll go to the desktop, and here are the images: image1, image2,
image3, and image4. So we’ll just open this one first. There’s the first image, right, right from my website,
rebuilt from the packet capture. So we learned that if somebody was listening in on the network, they could
pull the images and the type of information that you’re viewing, the types of websites you’re viewing, and all
kinds of stuff if they were using a packet sniffing program. And you can see that none of that stuff is
necessarily private or encrypted. Now, it’s a good reason to think about when you should be using HTTPS,
when you should be using an encrypted protocol and things like that. So it’s definitely something to think
about.
Well, anyway, I hope you liked the demonstration. You could try that for yourself. Just Capture, Interfaces,
choose the correct interfaces, and click Start, and start Capturing, and then browse some web traffic. When
you’re done, press the Stop button, and then try to isolate some images, like a JPEG image or a PNG file or a
GIF file, and then highlight– like this one is a portable networks graphic, so what you do is, you highlight that,
and then export the selected packet bites. In this case, this would be “image5.png”, since it’s a PNG file. So
I’ll hit Save and save that. And sure enough, it’s a tiny little image, a little icon, but it is an image, right, PNG
file. So it’s a type of thing that you could have a lot of fun with. All you have to do is just start capturing one of
your network interfaces and start generating some traffic by browsing the web.