@AdSecVN FB: AdSecVN @QuantriBaomat

Wireshark
Wireshark is one of the most popular and powerful network analysis software tools in the
world. It provides the capability to monitor and analyze network traffic deeply. Here's a brief
introduction to Wireshark:
1. Main Purpose:
Wireshark is used to analyze real-time network traffic and also to examine previously recorded
traffic. It helps network administrators, security engineers, and application developers
troubleshoot network issues, diagnose disruptions, and secure networks.
2. Key Features:

• Capture Capabilities : Wireshark can capture traffic from various types of network
interfaces including Ethernet, Wi-Fi, Bluetooth, and more.
• Rich Protocol Support: It supports a wide range of network protocols including TCP,
UDP, HTTP, HTTPS, DNS, SNMP, and many more.
• Powerful Filtering: Wireshark has powerful filters, allowing users to extract specific
traffic relevant for analysis.
• Decryption Support: It can decrypt encrypted traffic such as HTTPS and SSH,
provided users have the appropriate keys.
Packet Analysis: Displays comprehensive information about each captured packet,
•
including headers and data payload.

3. User Interface:
• • •Packet
• List Pane: Displays the list of captured packets.
• Statistics Menu Pane: Shows detailed information about the selected packet.
Packet Details
Packet Bytes Pane: Displays a hexadecimal representation of the packet data.
Filter Toolbar: Allows users to apply filters to display relevant packets.
: Provides statistics about network traffic, including graphs and
summaries.
4. Platform Support:
Wireshark is available for various platforms including Windows, macOS, and Linux.
5. Common Uses:

• Diagnosing network issues such as connection disruptions or slow performance.

• Analyzing network security, such as detecting attacks or identifying security
vulnerabilities.
•
Development and debugging of network applications.

•
Monitoring network traffic for auditing or compliance purposes.

@AdSecVN FB: AdSecVN @QuantriBaomat

 Example of using Wireshark:

1. Sniffing FTP credentials using wireshark

is a standard
FTP protocol
(File Transfer used to transfer files between computers
Protocol)
connected in a network, such as the internet. FTP is commonly used to upload or download
files from an FTP server to a client computer, or vice versa.
FTP is Vulnerable to Man-in-the-Middle Attacks: Because FTP does not provide encryption,
it is vulnerable to Man-in-the-Middle (MITM) attacks, where an attacker can eavesdrop on or
manipulate data traffic between the client and FTP server.
Victim accesses FTP and enters credentials.

Attackers can view traffic in Wireshark by filtering TCP port 21.

@AdSecVN FB: AdSecVN @QuantriBaomat

 Then right-click on the TCP packet, follow TCP stream, and the information will be displayed.

2. How to get Website Login Credentials using Wireshark

HTTP (Hypertext Transfer Protocol) is a communication protocol used to transfer data on the
World Wide Web (WWW). HTTP is the fundamental protocol used to send and receive
information between clients (such as web browsers) and web servers. As a text-based
application protocol, HTTP governs how data is transferred and interpreted. Typically, HTTP
is used to fetch web pages but can also be used to transfer various types of data, including
images, videos, and other files.
Despite undergoing various version improvements, including HTTP/1.0, HTTP/1.1, and the
latest HTTP/2, the protocol still has some vulnerabilities that can be exploited by attackers.
Some common vulnerabilities in HTTP include: Man-in-the-Middle (MITM) Attacks: Attackers
can exploit this vulnerability by attempting to
position themselves between the client and server to monitor or modify the communication that
occurs between them.

a) The attacker sets up a Fake Wi-Fi network so that the victim will use that Wi-Fi for
browsing.

@AdSecVN FB: AdSecVN @QuantriBaomat

 b) After the victim connects to the Wi-Fi and starts browsing, if the victim enters login
credentials, the attacker can see the data being sent.
In this scenario, the victim logs in to a website and enters their username and password.

Then the attacker can open Wireshark and select the appropriate interface for analysis. Since
the login is done using the "POST" method, they can apply filtering to dis
play only POST requests. After the filtered POST requests appear, the attacker can right-click
and choose "Follow" -> "HTTP Stream" to analyze the HTTP stream for further information.

@AdSecVN FB: AdSecVN @QuantriBaomat

 Then it will display the following section, where the username and password entered by the
victim are visible. Once obtained, the attacker can use these credentials.

@AdSecVN FB: AdSecVN @QuantriBaomat

 3. Analyzing Hydra Brute Force using Wireshark

Hydra is one of the most well-known and powerful penetration testing tools used to conduct
brute force attacks. A brute force attack is a method where an attacker tries all possible
combinations of passwords to gain unauthorized access to a system.
Running brute force using Hydra.

When analyzed with Wireshark, numerous POST method traffic packets associated with brute
force attacks are visible.

@AdSecVN FB: AdSecVN @QuantriBaomat

 4. Detecting SQL Injection with Wireshark

SQL injection is a type of attack used to exploit web applications that utilize SQL (Structured
Query Language) to process data. In a SQL injection attack, the attacker inserts malicious SQL
code into input received by the web application, which is then executed by the database. The
attacker inputs SQLi payload.

Analysis in Wireshark and filter by the GET method, select packets containing SQL injection
payloads, as seen below where the attacker inputs the SQLi payload.

@AdSecVN FB: AdSecVN @QuantriBaomat

 5. Analysis of Nmap Scanning using Wireshark
Nmap (Network Mapper) is one of the most popular and powerful network scanning tools used
to discover hosts and services within a computer network. It allows users to conduct network
scans to determine which hosts are active, what services are running on those hosts, as well as
additional information about the hosts and services.
Several flags commonly used in conjunction with Nmap are:

1. -sS (TCP SYN scan): This is the most common type of scan. Nmap sends a SYN packet
to the target port and waits for a response. If the response is SYN/ACK, it means the
port is open. If the response is RST, it means the port is closed. If there is no response,
it may indicate the port is filtered.

@AdSecVN FB: AdSecVN @QuantriBaomat

 2. -sT (TCP Connect scan): This scan actively connects to the target port. If the connection
is successful, it means the port is open. However, this scan is more easily detected by
firewalls and network logging.

3. -sU (UDP scan): This scan is used to discover open UDP services on the target host. UDP is
a connectionless protocol, so UDP scanning is more complex and slower than TCP.

@AdSecVN FB: AdSecVN @QuantriBaomat

 4. -sV (Service version detection): This flag allows Nmap to attempt to determine the
version of the service running on the discovered ports. It is useful for identifying the
running software version, which can help in determining potential vulnerabilities.

@AdSecVN FB: AdSecVN @QuantriBaomat