Wireshark sniffing

[M@$T]

Hi All, 

Getting to understand and play around with wireshark for network sniffing.. I know that when i filter for http.request.method == POST i can view un encrypted passwords.. Question is.. If you are on a network and you want to sniff a specific PC.. how should the sniff be? do i filter out the IP of that specific PC? or listen to anything going towards the router and filter that PC's IP?

[digip]

first, sniffing traffic for post will only work it its sent in the clear. if it's over https, you won't see it without a MITM and stripping SSL from a clients connection. you can just type http as the filter and you will see all web traffic sent in the clear and you can then look through for the form data, which if you are only looking at POST, you might miss some obvious things of use, such as get requests, and reusing things like sessions and cookies, which require no username or password for reuse. If a user is already logged in, you will have missed the chance to capture the login anyways and using cookies manually can help log you in without the need for a password.

 

[M@$T]

Hi there, 

Thanks for your reply, Is it possible to sniff another PC on the network however? I know it might be a long shot but this is to create awareness of not using ssl. I cant find the proper way of sniffing another IP

[digip]

Short answer, yes...

Most traffic can be seen that is broadcast, but if you want specific machine traffic, either MITM, or, get a hub between the two machines which rebroadcasts everything. Over wifi, monitor mode, as well as MITM, dual nic or card with dual antenna capabilities to see both managed and monitor mode at the same time.

[M@$T]

Gotcha.. Thanks digip - so basically without placing a hub I can't sniff the workstation next to me just by using wireshark.. 

 

However.. If you are on an internal wifi - is this possible just using wireshark?

[digip]

Just now, M@$T said:

Gotcha.. Thanks digip - so basically without placing a hub I can't sniff the workstation next to me just by using wireshark.. 

 

However.. If you are on an internal wifi - is this possible just using wireshark?

not necessarily. You'll see some kinds of traffic on the network just by sniffing your NIC. You just won't see specific traffic between the next node and it's internet traffic unless it's rebroadcast over the network openly or with a MITM. you'll see all the arp requests, smb traffic and interaction with the router/switch but for capturing passwords or such you'll need to between them and the target systems. Open wireshark, put your card into promiscuous mode and see what is there though. You'd be surprised what you can learn from the network chatter such as who is at what IP, and their MAC address. That in part will be needed for doing more to intercept the traffic.

 

Read up on ARP and ARP Poisoning if you want to learn more.

[Wallruss]

In addition to digip's excellent comments, I would  also recommend reading up on the filtering options for wireshark.  It can be daunting if you're tackling it for the first time.  There are plenty of great examples to help proper filtering concepts 'click that lightbulb in your head to on' for you.  I would also recommend you start on a simple target network with just one or two machines.  That way you can see and understand the traffic better, which will help you solidify the fundamentals.  Once you're comfy on the simple network, add some more devices and keep on experimenting.