Jump to content

Wireshark sniffing


M@$T

Recommended Posts

Hi All, 

Getting to understand and play around with wireshark for network sniffing.. I know that when i filter for http.request.method == POST i can view un encrypted passwords.. Question is.. If you are on a network and you want to sniff a specific PC.. how should the sniff be? do i filter out the IP of that specific PC? or listen to anything going towards the router and filter that PC's IP?

Link to comment
Share on other sites

first, sniffing traffic for post will only work it its sent in the clear. if it's over https, you won't see it without a MITM and stripping SSL from a clients connection. you can just type http as the filter and you will see all web traffic sent in the clear and you can then look through for the form data, which if you are only looking at POST, you might miss some obvious things of use, such as get requests, and reusing things like sessions and cookies, which require no username or password for reuse. If a user is already logged in, you will have missed the chance to capture the login anyways and using cookies manually can help log you in without the need for a password.

 

Link to comment
Share on other sites

Short answer, yes...

Most traffic can be seen that is broadcast, but if you want specific machine traffic, either MITM, or, get a hub between the two machines which rebroadcasts everything. Over wifi, monitor mode, as well as MITM, dual nic or card with dual antenna capabilities to see both managed and monitor mode at the same time.

Link to comment
Share on other sites

Just now, M@$T said:

Gotcha.. Thanks digip - so basically without placing a hub I can't sniff the workstation next to me just by using wireshark.. 

 

However.. If you are on an internal wifi - is this possible just using wireshark?

not necessarily. You'll see some kinds of traffic on the network just by sniffing your NIC. You just won't see specific traffic between the next node and it's internet traffic unless it's rebroadcast over the network openly or with a MITM. you'll see all the arp requests, smb traffic and interaction with the router/switch but for capturing passwords or such you'll need to between them and the target systems. Open wireshark, put your card into promiscuous mode and see what is there though. You'd be surprised what you can learn from the network chatter such as who is at what IP, and their MAC address. That in part will be needed for doing more to intercept the traffic.

 

Read up on ARP and ARP Poisoning if you want to learn more.

Link to comment
Share on other sites

In addition to digip's excellent comments, I would  also recommend reading up on the filtering options for wireshark.  It can be daunting if you're tackling it for the first time.  There are plenty of great examples to help proper filtering concepts 'click that lightbulb in your head to on' for you.  I would also recommend you start on a simple target network with just one or two machines.  That way you can see and understand the traffic better, which will help you solidify the fundamentals.  Once you're comfy on the simple network, add some more devices and keep on experimenting.  

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...