Kali/wireshark on a VM

[Skyrunner]

Hey all! I'm new to all this security related hacking and want to learn more about pentesting etc as I have chosen to study cyber security at university this September!

Anyway, my problem right now is, that I want to do some basic http sniffing with wireshark. What I've done is I have set up kali on a Virtual box (bridged) on my laptop and am trying to sniff the web pages I load on my computer. Both are connected to my home network however, for some odd reason wireshark isn't picking up any http from my computer or any signals. Though, its picking up packets from other devices on the network! I can surf the internet and when I run a netcat scan it is able to identify what else is there on the network but for some reason it won't sniff my http on my computer? Also I have made sure the pages I visit on my computer are http aswell...please help!

[digininja]

I've not got time to reply properly now but to see traffic in Wireshark you have to actually be able to see the traffic, that means it has to pass through the machine running Wireshark. Look at things like ARP cache poisoning, man-in-the-middle or simple bridge mode on a wired network to put your laptop between another machine and the router/switch (This is similar but different to the VM bridge mode).

[Skyrunner]

I don't really understand what you're saying. I can see traffic going through wireshark, it shows all sorts including my router traffic if that's what you mean? I did read somewhere that you need a USB dongle to be able to do sniffing through VM but I can use the internet and nmap scan just fine. Not sure where I'm going wrong..it floods the whole box but when I filter http all i see is traffic from my laptop

[digininja]

You will probably be seeing just broadcast traffic, this is traffic sent to every machine on the network and traffic sent to or from your machine.

[Skyrunner]

Maybe, how am I supposed to get it to work?

[digininja]

See my first answer. Sorry, to busy at the moment to give detailed answers, hopefully someone else will have time. Search for the terms I gave, you'll find plenty of information

[Skyrunner]

Okay thanks, sorry I have next to none experience with this. I sort of understand your first post, if I'm correct. You're saying instead of my victim(my computer) connecting to the router/internet it goes to my laptop then my laptop goes to the internet correct? I'm not particularly sure how to do it but I'll have a look round on the web. I thought wireshark did that for you automatically when you start its sniff.

But thank you for taking your time to reply and help :) Much appreciated!

[digininja]

Yes, that is one way to do it and no Wireshark doesn't do it for you. The way you describe is a physical way to get yourself in the middle by actually placing yourself there, the altnerative is to use something like ARP cache poisoning.

If you are on unencrypted wifi you could also sniff the traffic from the air.

[Skyrunner]

ah! So do I use ettercap for this? Realised you can ARP poison with it but not exactly sure how atm

[digininja]

ettercap, arpspoof, cain and able (windows) will do it.

Play with those and I'd also suggest trying to get physically in the middle which will need a second NIC in your laptop (assumiming the other computer is wired). You'll learn about bridge mode and a load of network admin stuff as well. Not exactly security but very useful stuff to know.

[cooper]

I would recommend getting a second machine for this work. The problem I see is that a VM plays tricks with the OS's view of the network adapter since the VM will get a virtual one and if you're going to try to make that virtual one play tricks with the network there's a good chance the VM implementation itself will get in the way.

Cheap and easy solution to the second machine problem: Listen to the WiFi traffic generated by your phone from your regular machine. Get some feel as to what's going on there. Learn to use wireshark effectively. In case of a wired machine attached by wire to the wireless router/switch that also receives your phone data, try to arp-poison the router so the phone data goes to your machine.

[Skyrunner]

Thanks for all your help guys, so what I've gathered is that I need to some how reroute all the traffic to my laptop by using ettercap or similar program.

One thing I noticed was, will it affect my laptop sniffing if my computer is plugged into ethernet? Also, on my VM version of Kali it says it's plugged into Ethernet though my laptop is connected to the internet via WiFi...

[Solace]

You're going to have to ARP-Poison your network. Try arpspoof -i eth0 192.168.0.1

Obviously replace that IP with the ip of your router...

[barry99705]

Thanks for all your help guys, so what I've gathered is that I need to some how reroute all the traffic to my laptop by using ettercap or similar program.

One thing I noticed was, will it affect my laptop sniffing if my computer is plugged into ethernet? Also, on my VM version of Kali it says it's plugged into Ethernet though my laptop is connected to the internet via WiFi...

Built in pci wifi cards don't work with virtual machines. They will show as a standard wired network card to the VM. USB network cards will work though, both wired and wireless.

[digininja]

I've had trouble passing through some Atheros cards to Linux VMs in VirtualBox. I ended up having to set up a machine in VMWare just to get my favourite card working.

[Skyrunner]

Thanks, for all the help. As said by most of you, I think I'll be buying one of them usb network cards if I can get one for fairly cheap. Just to poke around with and experiment with the stuff you can do in Kali!
Sorry for the late reply, been working my ass off in preparation for exams haha!

[Skyrunner]

Okay, I'm back (didn't want to create a new thread). So I've recently got rid of the VM version of Kali and gone ahead of making a live usb persistent copy. However, I'm still running into the same problems of only able to sniff my own traffic? What am I doing wrong? I did everything the same as in Hak5's video on wireshark introduction

[digininja]

You are still just seeing broadcast traffic. Is the wifi network encrypted?

[Skyrunner]

You are still just seeing broadcast traffic. Is the wifi network encrypted?

I don't think so. I set it all up and didn't opt for any encryption

[digininja]

In which case put the card in monitor mode using airmon-ng and then you should see the traffic.

[Skyrunner]

Sorry I'm new to this. Okay so I've done airmon-ng start wlan0 and it's created a new card named mon0. Now I no longer see packets sent/received on wlan0 so in wireshark I choose the mon0 option. When on mon0 all I see is mainly data from and to sagecom and private [MAC address here]. Most say in the info "request-to-send" after clear-to-send then block ack? Tried filtering Http and now it doesn't even detect internet activity on the laptop

[digininja]

I suggest googling sniffing wifi traffic, there are loads of videos on how to do it. Will be easier for you to go through some of those to get things working than us try to debug something remotely. We could end up going back and forward for days.

[Skyrunner]

I believe I have found the source ofthe problem....I had to type in the password for my access point in the decrypt key settings on 802.11 protocol. Though still not showing http...it just floods with BskyB data and such. Ah well, I give up!

[digininja]

About 3 questions back I asked if the wifi was encrypted and you said you didn't think so, now you say that there is a password, which is it? Open network, WEP, WPA(2)?

[Skyrunner]

I thought you meant as in some sort of other encryption sorry! Didn't think you was talking about the password to even get on the network!
Using WPA2 -PSK

Complete beginner at this. Studying cyber security in September so hoping to get a headstart now.. Must be making people so many people *facepalm* right now

Edited May 30, 2014 by jonnyh1994