Welcome back to CyberShield! We have explored web vulnerabilities and reconnaissance. Now, it's time to go deeper into the network layer. If you want to see exactly what is traveling through your Wi-Fi or Ethernet cables, you need to master Wireshark.
What is Wireshark?
Wireshark is the world’s most popular network protocol analyzer. It allows you to capture and interactively browse the traffic running on a computer network. Think of it as a "microscope" for your network—it lets you see every single packet that is sent or received.
Why Do Pentesters Use Wireshark?
For a Cybersecurity professional, Wireshark is essential for:
Analyzing Protocols: Understanding how HTTP, DNS, TCP, and TLS work.
Finding Vulnerabilities: Spotting unencrypted sensitive data (like passwords) sent over plain HTTP or FTP.
Incident Response: Investigating how a malware or virus is communicating with its Command and Control (C2) server.
Network Troubleshooting: Fixing latency or connection issues.
Getting Started with Wireshark
1. Installation
Wireshark is free and open-source. You can download it for Windows, macOS, and it comes pre-installed on Kali Linux.
2. Selecting an Interface
When you open Wireshark, you will see a list of network interfaces (e.g., WiFi, Ethernet). Select the one with activity (indicated by a jagged line) and click the Blue Shark Fin icon to start capturing.
3. The Three-Pane View
Packet List Pane: Shows a summary of each packet (Source, Destination, Protocol).
Packet Details Pane: Shows the layers of the selected packet (OSI Model layers).
Packet Bytes Pane: Shows the raw data in Hex and ASCII.
Professional Tip: Using Display Filters
Capturing traffic generates thousands of packets per second. To find what you need, you must use Filters.
http: Shows only web traffic.ip.addr == 192.168.1.1: Shows traffic to or from a specific IP.tcp.port == 443: Shows encrypted HTTPS traffic.dns: Shows only domain name queries.http.request.method == "POST": Great for finding login attempts where passwords might be hidden.
Real-World Exercise: Finding a Cleartext Password
Start Capture: Open Wireshark and start capturing on your main interface.
Visit a Test Site: Go to an old, unencrypted site like
http://info.cern.chor a deliberate test site.Login: Enter a fake username and password in a login form.
Filter in Wireshark: Type
httpin the filter bar.Analyze: Look for a POST request. Right-click on it and select Follow > HTTP Stream.
The Result: You will see the login credentials in plain text because the site doesn't use HTTPS!
How to Defend Against Sniffing? (The Defense)
As a security researcher, you must promote encryption:
Use HTTPS: Ensure all websites use SSL/TLS certificates.
VPNs: Use a Virtual Private Network when on public Wi-Fi to encrypt all traffic.
Secure Protocols: Use SSH instead of Telnet, and SFTP instead of FTP.
Conclusion
Wireshark is a vast tool with endless possibilities. Mastering it will take you from a "script kiddie" to a professional "Network Security Analyst." Keep practicing by capturing your own traffic and trying to understand every layer of the packets.

Comments
Post a Comment