M@$T Posted September 17, 2016 Share Posted September 17, 2016 Hi All, Getting to understand and play around with wireshark for network sniffing.. I know that when i filter for http.request.method == POST i can view un encrypted passwords.. Question is.. If you are on a network and you want to sniff a specific PC.. how should the sniff be? do i filter out the IP of that specific PC? or listen to anything going towards the router and filter that PC's IP? Quote Link to comment Share on other sites More sharing options...
digip Posted September 18, 2016 Share Posted September 18, 2016 first, sniffing traffic for post will only work it its sent in the clear. if it's over https, you won't see it without a MITM and stripping SSL from a clients connection. you can just type http as the filter and you will see all web traffic sent in the clear and you can then look through for the form data, which if you are only looking at POST, you might miss some obvious things of use, such as get requests, and reusing things like sessions and cookies, which require no username or password for reuse. If a user is already logged in, you will have missed the chance to capture the login anyways and using cookies manually can help log you in without the need for a password. Quote Link to comment Share on other sites More sharing options...
M@$T Posted September 22, 2016 Author Share Posted September 22, 2016 Hi there, Thanks for your reply, Is it possible to sniff another PC on the network however? I know it might be a long shot but this is to create awareness of not using ssl. I cant find the proper way of sniffing another IP Quote Link to comment Share on other sites More sharing options...
digip Posted September 22, 2016 Share Posted September 22, 2016 Short answer, yes... Most traffic can be seen that is broadcast, but if you want specific machine traffic, either MITM, or, get a hub between the two machines which rebroadcasts everything. Over wifi, monitor mode, as well as MITM, dual nic or card with dual antenna capabilities to see both managed and monitor mode at the same time. Quote Link to comment Share on other sites More sharing options...
M@$T Posted September 22, 2016 Author Share Posted September 22, 2016 Gotcha.. Thanks digip - so basically without placing a hub I can't sniff the workstation next to me just by using wireshark.. However.. If you are on an internal wifi - is this possible just using wireshark? Quote Link to comment Share on other sites More sharing options...
digip Posted September 22, 2016 Share Posted September 22, 2016 Just now, M@$T said: Gotcha.. Thanks digip - so basically without placing a hub I can't sniff the workstation next to me just by using wireshark.. However.. If you are on an internal wifi - is this possible just using wireshark? not necessarily. You'll see some kinds of traffic on the network just by sniffing your NIC. You just won't see specific traffic between the next node and it's internet traffic unless it's rebroadcast over the network openly or with a MITM. you'll see all the arp requests, smb traffic and interaction with the router/switch but for capturing passwords or such you'll need to between them and the target systems. Open wireshark, put your card into promiscuous mode and see what is there though. You'd be surprised what you can learn from the network chatter such as who is at what IP, and their MAC address. That in part will be needed for doing more to intercept the traffic. Read up on ARP and ARP Poisoning if you want to learn more. Quote Link to comment Share on other sites More sharing options...
Wallruss Posted September 28, 2016 Share Posted September 28, 2016 In addition to digip's excellent comments, I would also recommend reading up on the filtering options for wireshark. It can be daunting if you're tackling it for the first time. There are plenty of great examples to help proper filtering concepts 'click that lightbulb in your head to on' for you. I would also recommend you start on a simple target network with just one or two machines. That way you can see and understand the traffic better, which will help you solidify the fundamentals. Once you're comfy on the simple network, add some more devices and keep on experimenting. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.