Wireshark and Recognizing Exploits, HakTip 138

Показать описание

Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
This week on HakTip, Shannon pinpoints an exploitation using Wireshark.

Working on the shoulders of last week's episode, this week we'll discuss what exploits look like in Wireshark. The example I'm sharing is from Practical Packet Analysis, a book by Chris Sanders about Wireshark.
Our example packet shows what happens when a user visits a malicious site using a bad version of IE. This is called spear phishing. First, we have HTTP traffic on port 80. We notice there is a 302 moved response from the malicious site and the location is all sorts of weird. Then a bunch of data gets transferred from the new site to the user. Click Follow TCP Stream. If you scroll down, you see some weird gibberish that doesn't make sense and an iframe script. In this case, it's the exploit being sent to the user.
Scroll down to packet 21 and take a look at the .gif GET request. Lastly, Follow packet 25's TCP Stream. This shows us a windows command shell, and the attacker gaining admin priveledges to view our user's files. FREAKY. But now a network admin could use their intrusion detection system to set up a new alarm whenever an attack of this nature is seen.
If someone is trying to do a MITM attack on a user, it might look like our next example packet. 54 and 55 are just ARP packets being sent back and forth, but in packet 56 the attacker sends another ARP packet with a different MAC address for the router, thereby sending the user's data to the attacker then to the router. Compare 57 to 40, and you see the same IP address, but different macs for the destination. This is ARP cache Poisoning.

-~-~~-~~~-~~-~-
Please watch: "Bash Bunny Primer - Hak5 2225"
-~-~~-~~~-~~-~-
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community – where all hackers belong.

Рекомендации по теме

Комментарии

All these words are just hitting me in the Face. Ms. Snubs, you continue to motivate me to continue learning new things. Especially Networking, which I have tried to avoid for so long. Thank you and keep up the great work.

LM-widn

super nice video (as away) tks Shannon!

Nstr_Jhnsn

Great job folks. Love sharing your Wireshark videos with my subscribers

thetechfirm

I recognized the shellcode immediately. Pays to be a pentester in training.

zephyfoxy

My college appears to have come under some sort of attack not that long ago as all of the IP addresses on the network were reading as having the same MAC address, which is not the normal network behaviour

CyberiadPhoenix

I'm guessing the explanation is far too lengthy and complex for me to expect an answer but, isn't our router or browser or the firewall supposed to block these kind of things? Now I have to do MS's job and learn to recognize and block malicious packets?

burtpanzer

Please mention the link of the wireshark file you analysed

prasanthkumar

hi i am hacked into and have dos attacks daily, these poeple get my cameas down then break in my home, trhis past weekend at 3am this was done and i heard them in my home and found my cat dead lying on the floor 2nd cat in 1 month dead like this out of nowhere when cameras are down from hackers, i can see th routers logs from the attacks of course how can i track who this is for proof of who it is? thanks

dayshagreenawalt

If our router get this attack, how we protect ourself from this kind attack?

andypratama

what size green screen you use where can I get one

trollerjesus

It is so entertaining to watch even tho i don't understand almost anything she says xD

clinsen

Hi wow, thanks, I think my computer is being hacked quite often id like to know if Wireshark captures the hackers information so I have the evidence?

youtuberocks

Only DoS attacks that just turn me into a bot cause I'm too lazy too automate. And feel I shouldn't have to.

S.C.D.

Unfortunatelly u can get even near any access with that windows shell :)

eakzit

"Using a bad version of Internet Explorer."

blackneos

i'd let u ddos my life support machine

Iuzzzzzz

Wireshark and Recognizing Exploits, HakTip 138

Wireshark and Recognizing Exploits, HakTip 138

Wireshark Tip 4: Finding Suspicious Traffic in Protocol Hierarchy

Stay One Step Ahead: Mastering Wireshark for IOC Research

Wireshark 101: How to Wireshark, Haktip 115

Identifying Open Ports in Wireshark, HakTip 137

Wireshark 101: TCP Retransmissions and Duplicates, HakTip 133

Analyzing a Log4j Exploit with Wireshark (and how to filter for it) // Sample PCAP!

Is this an attack? Wireshark Packet analysis // SYN Attack

Wireshark 101: Fixing Network Problems with Wireshark, HakTip 134

Advanced Wireshark Network Forensics - Part 1/3

wireshark analysis for web-shell attack

Wireshark 101: Feedback and Tips - HakTip 141

Wireshark 101: Understanding High Latency, HakTip 136

wep attacks passive wireshark

learn to start reverse shell and analyze traffic in wireshark

Wireshark - Malware traffic Analysis

Wireshark 101: Wireless Sniffing Pt 2 - HakTip 140

Wireshark 101: Expressions, Haktip 118

Sniffing and grabbing attachments with Wireshark

Wireshark 101: Pcapr Review - HakTip 145

Identifying Application Signatures With Wireshark

Hands-On Traffic Analysis with Wireshark - Let's practice!

Detect ARP Attacks via Wireshark

Advanced Network forensics Part 1: Carving a malware using wireshark